Re: Mozilla security review of Access Control

Sorry, that should say:

*Wednesday* (Feb 20) 3pm Pacific, 6pm Eastern, 23:00 UTC


Jonas Sicking wrote:
> 
> Hi All,
> 
> We didn't manage to finish the security review last week, so we're going 
> to continue tomorrow. The contact info is about the same as last week:
> 
> * Tuesday 3pm Pacific, 6pm Eastern, 20:00 UTC
> * Mozilla Building S - Central Area
> * 650-903-0800 or 650-215-1282 x91 Conf# 217 (US/INTL)
> * 1-800-707-2533 (pin 369) Conf# 217 (US)
> 
> Background material here:
> http://wiki.mozilla.org/User:Sicking/Cross_Site_XHR_Review
> 
> There were two big issues that came up during the last review:
> 
> Should we send cookies and auth headers for cross site requests:
> For now we decided not to, but i'd like to bring this issue up in other 
> forums too, will do so here shortly. This issue will not be dealt with 
> tomorrow since it's simply to big to reach a conclusion.
> 
> Could DNS rebind attacks be made worse through the access-control spec:
> The attack that was brought up was an attacker able to redirect any 
> given request to his own site. He could then redirect the OPTIONS 
> request to his own site but let the POSTs requests go through to the 
> targeted site and cause harm.
> However, this is already possible today. If an attacker can redirect a 
> single request he could just redirect a request for a script or html 
> resource which would include scripts that could perform same-site 
> XMLHttpRequests which would have the same effect.
> 
> 
> Anyone is invited to call in or come by.
> 
> Best Regards,
> Jonas Sicking
> 

Received on Wednesday, 20 February 2008 17:17:18 UTC