- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 11 Jun 2006 19:09:32 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
* Mark Nottingham wrote: >Also, AFAICT, all of the purported security problems (which are >*still* hazy) occur with cross-domain XHR, when the spec at hand only >specifies single-domain XHR. If you have a single host with a single entity responsible for all script logic and the server setup is is indeed relatively safe to assume this entity would not write script logic that poses risks for the host or its users. However, it is not safe to assume that this is always the case. As an example, script injection vulnerabilities are rather common. It is also common to attempt to work around such vulnerabilities, for example "HttpOnly Cookies" are supposed to prevent cookie stealing even if there is a script injection vulnerability. And they do that, until you inject a script that does a TRACE. The same goes for HTTP authentication credentials, they are not available to scripts, so even with a script injection vulnerability you don't have access to them, until you do a TRACE. Also note that having a script injection vulnerability does not necessarily mean the entity responsible for the web service made any obvious mistake; browser vendors keep adding new features that make previously safe codes unsafe and service providers have a hard time to keep up with new threats. You'll have to look at this from the user perspective. A browser that does not allow (for example) TRACE requests is less risky to use than one that does allow it. The question for browser vendors is then "Do we want to make a product that's more risky to use than competing products?" -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 11 June 2006 17:09:44 UTC