- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 19 Feb 2008 19:37:52 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>, "Close, Tyler J." <tyler.close@hp.com>
Hi All, We didn't manage to finish the security review last week, so we're going to continue tomorrow. The contact info is about the same as last week: * Tuesday 3pm Pacific, 6pm Eastern, 20:00 UTC * Mozilla Building S - Central Area * 650-903-0800 or 650-215-1282 x91 Conf# 217 (US/INTL) * 1-800-707-2533 (pin 369) Conf# 217 (US) Background material here: http://wiki.mozilla.org/User:Sicking/Cross_Site_XHR_Review There were two big issues that came up during the last review: Should we send cookies and auth headers for cross site requests: For now we decided not to, but i'd like to bring this issue up in other forums too, will do so here shortly. This issue will not be dealt with tomorrow since it's simply to big to reach a conclusion. Could DNS rebind attacks be made worse through the access-control spec: The attack that was brought up was an attacker able to redirect any given request to his own site. He could then redirect the OPTIONS request to his own site but let the POSTs requests go through to the targeted site and cause harm. However, this is already possible today. If an attacker can redirect a single request he could just redirect a request for a script or html resource which would include scripts that could perform same-site XMLHttpRequests which would have the same effect. Anyone is invited to call in or come by. Best Regards, Jonas Sicking
Received on Wednesday, 20 February 2008 03:37:33 UTC