Re: IE Team's Proposal for Cross Site Requests from Laurens Holst on 2008-03-15 (public-appformats@w3.org from March 2008)

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Sat, 15 Mar 2008 23:01:19 +0100
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
CC: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Sunava Dutta <sunavad@windows.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Message-ID: <47DC472F.9080300@students.cs.uu.nl>

Eric Lawrence schreef:
> Note that XDR supports only the GET and POST methods, DELETE and other methods are not supported.
>   

I don’t really see how POST is less harmful than DELETE. POST (if used 
in a REST-y way) can be used to wreak serious havoc (e.g. spam messages, 
overload server data capacity, post viruses, adding new super user 
accounts for the hacker, change settings such as passwords, influence 
poll results).

Additionally, there are a great number of sites that are using the HTTP 
POST method for operations that would be more suitable for PUT and 
DELETE. The reason that this happens is probably HTML’s fault, because 
it only supports GET and POST, crippling the functionality that HTTP 
provides. Non-REST webservices protocols such as XML-RPC and SOAP also 
exclusively use POST.

If XDR only supports GET and POST, it encourages sites to use POST to 
implement delete functionality and abuse the HTTP protocol because that 
is the only way they can get the functionality they desire to work. 
Basically, you’re boycotting REST in favour of SOAP.

So, I do not see much benefit in the decision to disallow DELETE but 
allowing POST.

> XDR is intended for "public" data.  We explicitly suggest that Intranet servers do not expose private data through this mechanism.  In order to ensure that no existing servers/services (in any zone) are put at risk, XDR does not send credentials of any sort, and requires that the server acknowledge the cross-domain nature of the request via the response header.
>   

I don’t think you’re really keeping users very safe that way. To quote 
an example, PHP is by default configured to send session credentials 
entirely through sessionID link parameters when cookies are not 
available, and thus don’t need cookies or authentication headers. And on 
many sites (e.g. phpBB-based forums), communication with the server 
(including deletion) happens exclusively through GET and POST requests. 
XDR’s restrictions on methods and credentials will not do these sites 
any good. Rather, they encourage even more sites to work around the 
restrictions.

Additionally, if you really want to keep sites safe in this manner, you 
should disallow cross-site POST requests for both XDR and HTML forms. 
Otherwise, there is already a breach in the safety, POST is equally 
suitable for ‘public’ data as DELETE and PUT are. You should allow those 
methods, so that developers can at least provide a proper REST API and 
are not forced to overload POST like XML-RPC and SOAP and friends do.

> Laurens Holst [lholst@students.cs.uu.nl] asked:
> <<So, if I cannot set HTTP headers, how am I supposed to set an Accept
> header to indicate that I e.g. want to receive application/xhtml+xml,
> application/atom+xml, application/*rss*+xml, application/rdf+xml, etc.?
> Your proposal is completely unfriendly to content negotiation. Also,
> there are valid use cases for setting other headers.
>
> I sincerely hope you will fix this issue by creating a blacklist of
> headers instead of disallowing them entirely.>>
>
> We absolutely agree that it is possible to define use cases that XDR does not accommodate.  We believe that XDR enables the most common cross-domain scenarios with negligible impact to the attack surface of existing servers and the browser.
>
> Creating a "blocklist" of headers is problematic as there is no existing mechanism to determine whether a target server will interpret a given header in a particular way.
>
> By way of example, we are aware of servers which utilize custom HTTP request headers as an anti-CRSF mechanism.  Such servers assume that, because the only mechanism currently available in the browser to send custom headers is via XMLHTTPRequest, if such custom headers are present, then the request "must" be from a same-origin XHR object.  Hence, permitting use of custom headers in XDR would expose such servers to attack.  It's absolutely reasonable to argue that such servers never should have made such assumptions, however we do not feel it is appropriate to put servers at risk.
>   

Then create a whitelist, with at least the Accept-* headers on it. They 
are clearly defined, and it is doubtful that they are used in a 
different manner than described. The use cases are clear and plenty.

> While HTTP-based content-negotiation is certainly well-defined by the HTTP specifications, for operational reasons it is relatively uncommon in the wild.  Different content types are usually served from different URLs; for instance, you can see that Yahoo!-based services use a URL parameter to pivot between JSON and XML format (http://developer.yahoo.com/common/json.html).
>   

I don’t think it is up to Microsoft to decide that content negotiation 
is useless and that part of HTTP should not be supported even though it 
poses no security risk. Part of the reason that content type negotiation 
is reasonably uncommon in the wild is partially because of mediocre 
support by user agents. By the way, content language and content 
encoding negotiation is pretty common, actually.

Content type negotiation is very useful and I think a very nice feature 
of HTTP, offering different ‘views’ (e.g. RSS or RDF, SVG or PNG) of the 
same content. With XHR it was finally possible to use content type 
negotiation in a good way in browsers, please don’t break it again in XDR.

I also think your argument here is inconsistent with the functionality 
XDR provides, since you DO support specifying the content type for POST 
entity bodies (contentType property).

If you decide to not allow manipulation of the Accept header anyway, you 
should make sure to NOT send an Accept header in the request at all, 
because it would not be able to reflect the content that the requestee 
intended to receive.

> It's certainly a possibility.  For instance, consider a device which accepts SOAP XML as input  The designers of the device were wise to note that a cross-domain form submission could be made (encType = text/plain) that contains XML-formatted content, and thus they devised an anti-CSRF mechanism of rejecting requests that do not bear a proper SOAPAction header.  Such restriction properly blocks CSRF via HTML forms, but is put at risk if a cross-domain XHR request is able to send arbitrary headers.
>   

This is also the case for XDR, no? The user can specify an arbitrary 
POST body, with arbitrary content type.

I think that is all I have to say :).


~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.

Received on Saturday, 15 March 2008 22:02:28 UTC