Re: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:

>
> Sending the user's cookies, as AC4CSR does, is just not a viable  
> design, since the target resource cannot determine whether or not  
> the user consented to the request. I've posted several explanations  
> of the attacks enabled by this use of ambient authority, and, in my  
> opinion, the issues are still outstanding. The use of ambient  
> authority in AC4CSR is a show-stopper, as reflected in the decision  
> Mozilla announced on this mailing list.

Can you please post these examples again, or pointers to where you  
posted them? I believe they have not been previously seen on the Web  
API list. A number of people have mentioned that the AC approach to  
cross-site XHR is insecure (or that XDR is somehow more secure), but I  
have not yet seen any examples of specific attacks. I would love to  
see this information. If I do not see a description of a specific  
attack soon I will assume these claims are just FUD.

Note also that sending of cookies is not an essential feature of  
AC4CSR; certainly it could be a viable spec with that feature removed.  
Do you believe there are any other showstopper issues?

Regards,
Maciej

Received on Thursday, 3 April 2008 00:49:42 UTC