W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: Proposal for an extension XMLHttpRequest to allow sending files

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 29 Jul 2008 01:48:36 -0700
Message-ID: <488ED964.8030202@sicking.cc>
To: Sam Weinig <weinig@apple.com>
Cc: Arthur Barstow <art.barstow@nokia.com>, Web Applications Working Group WG <public-webapps@w3.org>

Sam Weinig wrote:
> 
> On Jul 28, 2008, at 10:45 AM, Jonas Sicking wrote:
> 
>>
>> Arthur Barstow wrote:
>>> Hi Sam,
>>> This seems like a reasonable extension to me.
>>> A colleague asks "Are there any new security concerns by putting this 
>>> inside XHR, or is the assumption that we are not exposing anything new?"
>>> What are your thoughts on that question? I presume "not exposing 
>>> anything new" given this type of functionality is already provided 
>>> (e.g. form submission as mentioned below).
>>
>> Yes, I believe that when we implemented a similar feature in mozilla 
>> (different API though) we came to the conclusion that it didn't expose 
>> anything significantly new.
>>
>> There were a few differences though:
>> If the File object can be stored in an offline cache, this means that 
>> somebody could today be theoretically protected while inside a 
>> corporate firewall, as long as they always restart the browser before 
>> leaving that firewall. I.e. even if you were somehow tricked into 
>> choosing to upload a file, a corporate firewall could protect that 
>> data from ever reaching the server. However if the File object can be 
>> stored in a offline cache, such as localStore, then restarting the 
>> browser will not prevent this.
> 
> I am not sure this is a real attack vector, as the only local storage 
> provided are string based, so one could not store the File object itself.

As of right now yes. Though this might change in the future.

/ Jonas
Received on Tuesday, 29 July 2008 08:50:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT