RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests] from Close, Tyler J. on 2008-04-03 (public-appformats@w3.org from April 2008)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Thu, 3 Apr 2008 01:08:06 +0000
To: Maciej Stachowiak <mjs@apple.com>
CC: Jonas Sicking <jonas@sicking.cc>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D0758142321@G6W0269.americas.hpqcorp.net>

Maciej Stachowiak wrote:
> On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
>
> >
> > Sending the user's cookies, as AC4CSR does, is just not a viable
> > design, since the target resource cannot determine whether or not
> > the user consented to the request. I've posted several explanations
> > of the attacks enabled by this use of ambient authority, and, in my
> > opinion, the issues are still outstanding. The use of ambient
> > authority in AC4CSR is a show-stopper, as reflected in the decision
> > Mozilla announced on this mailing list.
>
> Can you please post these examples again, or pointers to where you
> posted them? I believe they have not been previously seen on the Web
> API list.

I've written several messages to the appformats mailing list. I suggest reading all of them. The most detailed description of the attacks are in the message at:

http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B6507@G6W0269.americas.hpqcorp.net

with a correction at:

http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B650D@G6W0269.americas.hpqcorp.net


> A number of people have mentioned that the AC approach to
> cross-site XHR is insecure (or that XDR is somehow more secure), but I
> have not yet seen any examples of specific attacks. I would love to
> see this information. If I do not see a description of a specific
> attack soon I will assume these claims are just FUD.

I think we've met before at a SHDH event. That was a more pleasant conversation. Hopefully, we'll be able to regain that tone.

> Note also that sending of cookies is not an essential feature of
> AC4CSR; certainly it could be a viable spec with that feature removed.
> Do you believe there are any other showstopper issues?

Possibly. There is a lot of complexity in the AC4CSR proposal. I've been writing about the most severe things as I find them.

--Tyler

Received on Thursday, 3 April 2008 01:09:30 UTC