- From: Brad Porter <bwporter@yahoo.com>
- Date: Sat, 23 Feb 2008 14:02:37 -0800 (PST)
- To: Brad Porter <bwporter@yahoo.com>, Daniel Veditz <dveditz@mozilla.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "WAF WG \(public\)" <public-appformats@w3.org>, Window Snyder <window@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, Jesse Ruderman <jruderman@gmail.com>
- Message-ID: <861171.72183.qm@web53501.mail.re2.yahoo.com>
[Cross-posting from another thread per Jonas's recommendation.] I reread the entire thread. If I can restate the concern -- the concern is that a site will enable access without understanding what enabling access means and therefore unintentionally leak data. This is a risk with or without cookies, but the cookies means that the site might unintentionally leak user-specific data. The intention is to cripple the access-control functionality by eliminating cookies in order to prevent site authors from injuring themselves, thus eliminating a large class of valid use cases but preventing site-authors from leaking their own user-specific data covered by their own privacy policy. I'm reminded of the Ronald Reagan quote: "Government exists to protect us from each other. Where government has gone beyond its limits is in deciding to protect us from ourselves." I think trying to protect site authors from themselves is giving site authors far too little credit. --Brad Brad Porter <bwporter@yahoo.com> wrote: We agree that applications can use the browser to initiate cross-site GET requests with cookies today using things like img src=? On the request side I don't see how access-control introduces a new attack vector. What applications can't do is inspect the return results. Access-control allows a site to make an explicit decision to share its data with the calling site. Whether that data contains user information based on the user's cookie is a privacy issue. I don't understand the assertion that sites need to protect against anything new. --Brad On Feb 22, 2008, at 10:56 AM, Daniel Veditz wrote: Brad Porter wrote: Historically the user-agents have not been in the position of stating or attempting to enforce privacy policy. Historically browser have absolutely forbidden cross-site XHR; the same-origin policy _is_ a privacy policy and browser enforce it. If this new feature causes users harm because of a careless site the message the world gets will first be "Don't use Firefox on MySpace/Yahoo/whoever until the site is fixed" which quickly morphs to "BrowserX is safer than Firefox" because those users will not want to stop getting their data. I know that if we don't send cookies with XSXHR Firefox users aren't at much more risk from this new Mozilla-only browser feature. It may not be all that useful without cookies, but _I_ have not put users at risk. Given the repeated inability of sites to get the XSS issue right I don't have a lot of confidence they'll implement XSXHR correctly even if it requires opt-in by the site (the use-history of flash's crossdomain.xml is not exactly comforting). Convince me that the benefit of sending browser authentication outweighs the risk of the additional attack surface. Especially given that any substantial use will have to come up with a completely different mechanism for other browsers anyway -- only niche sites can afford to rely on a Firefox-only (for now) feature. -Dan Veditz
Received on Saturday, 23 February 2008 22:02:50 UTC