W3C home > Mailing lists > Public > www-forms@w3.org > November 2004

Re: XForms - Secure or Insecure?

From: Darin Fisher <darin@meer.net>
Date: Tue, 23 Nov 2004 02:09:26 +0000 (UTC)
To: www-forms@w3.org
Message-ID: <loom.20041123T023348-846@post.gmane.org>

Mark Birbeck <mark.birbeck <at> x-port.net> writes:

> 
> Aaron,
> 
> We obviously have very different concepts of what web services are!
> 
> I would have thought that just about all web services that you refer to
> would be in "domains different to the one where the page was downloaded". As
> it happens, that's what makes it so exciting - in one form we can search
> both Google and Amazon for the same word; in one form we can find a zip code
> from an address, and then use that zip code to find weather and traffic
> reports; in one form I can monitory umpteen news feeds or RSS logs, or even
> manage my Atom-powered blog (coming soon ;)).
> 
> In other words, far from causing a problem, XForms makes these new-fangled
> web services accessible. Let's face it, despite being around for years web
> services are pretty much unusable by anyone outside of a corporate IT
> department.
> 
> Regards,
> 
> Mark
> 
> 
> Mark Birbeck
> CEO
> x-port.net Ltd.
> 
> e: Mark.Birbeck <at> x-port.net
> t: +44 (0) 20 7689 9232
> w: http://www.formsPlayer.com/
> 
> Download our XForms processor from
> http://www.formsPlayer.com/
> 
> > -----Original Message-----
> > From: www-forms-request <at> w3.org
> > [mailto:www-forms-request <at> w3.org] On Behalf Of Aaron Reed
> > Sent: 24 August 2004 21:50
> > To: www-forms <at> w3.org
> > Subject: XForms - Secure or Insecure?
> > 
> > 
> > 
> > I also have a question about XForms security.  For example,
> > the formsPlayer example at: 
> > http://www.formsplayer.com/community/samples/google-search.html.
> > 
> > Running this example in a browser should raise eyebrows.
> > Submitting SOAP to 
> > domains DIFFERENT from the one where the page was downloaded 
> > and REPLACING content in the current page so that the user 
> > doesn't have any kind of cue that something just happened 
> > seems like the kind of power for a form that we don't want to 
> > encourage (in a browser context, at least).  Is this 
> > something that is going to be addressed in the 1.1 spec when 
> > the SOAP stuff goes in?
> > 
> > --Aaron
> > 
> > 
> > 
> 
> 



Hi Mark,

Let me give you an example to ponder:

A user browses his corporate intranet.  He loads a page that connects
him to a Web Service that lives on his corporate intranet.  His browser
prompts him to enter his username and password for HTTP authentication
(or some other mechanism, cookies perhaps, are used to manage his logon
session).

Now, the user checks his email and receives a very familiar looking 
email regarding some familiar work-related thing, and he clicks the link.
Unbeknownst to the user, the link he is directed to is actually to a 
web site on the _internet_ (established in this case by a disgruntled
employee).  The web site directs the user's browser to the aforementioned
Web Service, collects some corporate secrets, and then sends them out over
the internet.

This problem exists because the hypothetical browser in this example
allows a web site from one domain to communicate with Web Services from
a second domain.

The Mozilla web browser takes care to avoid these sort of cross-domain
security problems by restricting XML transactions to the origin host
exclusively.  This is done for XMLHttpRequest (the equivalent of MSXML's
XMLHTTP ActiveX component), document.load, and SOAP.

Mozilla does permit cross-origin HTML form posts because it is very 
difficult to exploit those (save for some classic examples involving
SMTP).

As a developer of Mozilla's XForms submission code, I am very concerned
about allowing XForms XML submission to any host other than the origin
server by default.  There would definitely be preferences to allow this
to be configured, but I think it is important to select the default
behavior carefully.

Regards,

Darin Fisher
IBM
Received on Tuesday, 23 November 2004 07:19:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:59 GMT