- From: Brad Porter <bwporter@yahoo.com>
- Date: Fri, 22 Feb 2008 11:25:09 -0800 (PST)
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "WAF WG \(public\)" <public-appformats@w3.org>, Window Snyder <window@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, Jesse Ruderman <jruderman@gmail.com>
We agree that applications can use the browser to initiate cross-site GET requests with cookies today using things like img src=? On the request side I don't see how access-control introduces a new attack vector. What applications can't do is inspect the return results. Access-control allows a site to make an explicit decision to share its data with the calling site. Whether that data contains user information based on the user's cookie is a privacy issue. I don't understand the assertion that sites need to protect against anything new. --Brad On Feb 22, 2008, at 10:56 AM, Daniel Veditz <dveditz@mozilla.com> wrote: Brad Porter wrote: Historically the user-agents have not been in the position of stating or attempting to enforce privacy policy. Historically browser have absolutely forbidden cross-site XHR; the same-origin policy _is_ a privacy policy and browser enforce it. If this new feature causes users harm because of a careless site the message the world gets will first be "Don't use Firefox on MySpace/Yahoo/whoever until the site is fixed" which quickly morphs to "BrowserX is safer than Firefox" because those users will not want to stop getting their data. I know that if we don't send cookies with XSXHR Firefox users aren't at much more risk from this new Mozilla-only browser feature. It may not be all that useful without cookies, but _I_ have not put users at risk. Given the repeated inability of sites to get the XSS issue right I don't have a lot of confidence they'll implement XSXHR correctly even if it requires opt-in by the site (the use-history of flash's crossdomain.xml is not exactly comforting). Convince me that the benefit of sending browser authentication outweighs the risk of the additional attack surface. Especially given that any substantial use will have to come up with a completely different mechanism for other browsers anyway -- only niche sites can afford to rely on a Firefox-only (for now) feature. -Dan Veditz
Received on Friday, 22 February 2008 19:25:32 UTC