W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

[cors] Protecting benign but buggy client side code

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 20 Aug 2010 18:59:09 -0700
Message-ID: <AANLkTi=bgVNgWT7oshNVpLuD_2cN6brAu6AZ9Tdip4S4@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
Hi

The CORS specification in its current form seems to be very concerned
about increasing attack surface of benign servers (the preflight
request etc. concern). Seeing [1] I am concerned about the other case
- benign clients and malicious cross origin servers.

for the tl;dr crowd - my (possibly wrong) summary of the attack
facebook.com loads content using the stuff after a '#' in a URL, thus
facebook.com/#profile.php loads content from facebook.com/profile.php
using XHR.
a URL like facebook.com/#evil.com/evil.php , with evil.com configured
to "AccessControlAllowOrigin *" could result in HTML injection.

It seems that over here facebook is a benign server that some time in
the past assumed that XHR can only be same origin, and with the
introduction of cross origin XHR is suddenly vulnerable to XSS. In
general, a client needs to 'add' stuff to its js to be safe after the
introduction of XHR. This isn't ideal.


Regards
devdatta

[1] http://m-austin.com/blog/?p=19
Received on Saturday, 21 August 2010 02:00:03 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT