W3C home > Mailing lists > Public > www-dom@w3.org > April to June 2006

DOM Level 2 HTML form.submit() safety / security

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 20 Apr 2006 08:10:20 -0700
Message-Id: <3DAAE540-68E7-440E-B5B0-C7098EE2D3D9@mnot.net>
To: www-dom@w3.org

I'd like to raise an issue regarding the DOM Level 2 HTML  
Specification, in particular HTMLFormElement.submit().
   http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-76767676

HTTP has a well-defined concept of safety;
   http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
whereas unsafe methods require user interaction, so that intent is  
assured. This is mirrored in the Architecture of the World Wide Web;
   http://www.w3.org/TR/webarch/#safe-interaction

Unfortunately, HtmlFormElement.submit() allows scripts to make  
potentially unsafe requests (e.g., with POST) to arbitrary sites, as  
explained here;
   http://www.net-security.org/dl/articles/AdvancedXSS.pdf

Because of this hole, any Web site that accepts an unsafe method has  
to take special measures to assure that the request has actually been  
made with the knowledge of the user.

This is in conflict with both the architecture of the World-Wide Web,  
and the design of HTTP. It's also a Cross-Site Scripting  
vulnerability, and therefore should be handled as a security problem  
in the DOM Level 2 HTML specification.

I would suggest that the remedy is to add a note or security  
considerations section, to the effect that unsafe requests (e.g.,  
POST) generated from HtmlFormElement.submit() MUST be authorised by  
the user. User-agents MAY get such permission by allowing the user to  
configure a "white list" of sites, allowing the user to specify that  
requests to the same site are always permitted, etc.

If this has been discussed / decided before, please send a reference,  
and apologies for the duplication.

Regards,

--
Mark Nottingham     http://www.mnot.net/
Received on Thursday, 20 April 2006 15:10:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 23:40:09 UTC