- From: Maciej Stachowiak <mjs@apple.com>
- Date: Mon, 17 Mar 2008 16:13:14 -0700
- To: Sunava Dutta <sunavad@windows.microsoft.com>
- Cc: Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
On Mar 17, 2008, at 2:29 PM, Sunava Dutta wrote: > Maciej Stachowiak [mjs@apple.com] said: > <<But not exactly identical, since forms can't be used to POST XML > content with a proper MIME type cross-domain.>> > > You're right-- setting an arbitrary request content-type is a > capability not present in HTML forms today. While we believe that > this is a minimal increase in attack surface, we agree that it's > worth considering whether or not such capability should be removed. > > If removed, all XDR POST requests could be sent with: > > Content-Type: text/plain; charset=UTF-8 > > Servers would then be flexible in interpreting the data in the > higher-level format they expect (JSON, XML, etc). I think encouraging more content sniffing of text/plain on the server side is likely to increase, not reduce attack surface. > Maciej Stachowiak [mjs@apple.com] asked: > <<What I'd like to understand is whether there are security benefits > to the API and protocol differences.>> > > We believe that the XDR proposal represents a simpler mechanism for > enabling the most commonly requested types of cross-domain access. > We believe that such simplicity will lead to improved security in > practical implementations by browsers. > > There are many threats against a cross-domain communication > mechanism, so we believe the simplicity of XDR makes it more > suitable than attempting to plumb cross-domain capabilities into the > existing XHR object. In particular, we are concerned that > attempting to introduce new restrictions/added complexity on an XHR > object when it is used in a cross-domain manner will result in a > confusing programming model for the web developer. So far I have not heard any *specific* security risks of the Access- Control model as compared to XDR, at least none that have held up to closer scrutiny. Is Microsoft aware of any specific such risks, as opposed to general concerns? Certainly simplicity of client-side authoring, server-side authoring and implementation are worth discussing as well, but I think the approaches are similar enough that simplicity in itself is not a major security issue. Regards, Maciej
Received on Monday, 17 March 2008 23:14:01 UTC