W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 6 Apr 2009 13:54:56 -0700
Message-ID: <63df84f0904061354u2296e63fw86a8e0e300064447@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
On Mon, Apr 6, 2009 at 11:29 AM, Tyler Close <tyler.close@gmail.com> wrote:
> It looks like the client-side API for cross-origin messaging is the
> same as the current XMLHttpRequest API. I think there's a security
> issue with this decision. The current XMLHttpRequest implementation
> drops any attempted cross-origin request. This implementation protects
> a client-side application that inadvertently sends a request to an
> unexpected target URL. Since the request is dropped by the browser
> implementation, any client credentials (such as a password) in the
> request body are not exposed to the wrong server. Since XMLHttpRequest
> has, to date, provided this protection, client scripts have had no
> real need to vet the URLs that they send messages to. Consequently, it
> seems unlikely that these scripts do any vetting of their target URLs.
> It may be possible for an attacker to cause a client script in another
> domain to send a request to a target URL on the attacker's server.
> Since the attacker controls his server, the resource can be marked as
> accepting cross-domain requests. Since the client script wasn't
> expecting such requests to succeed, it may include client credentials
> in the sent request.

How would the script include client credentials in the request? Can
you show some an example of the type of script you are concerned
about?

/ Jonas
Received on Monday, 6 April 2009 20:55:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT