Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

Jon Ferraiolo wrote:
> <jonas>
> I don't understand at all what you are proposing. If we allow the client
> to always POST cross domain the damage is already done and we have lost
> already....JSONRequest always allows cross-site POSTs, I.e. it always 
> allows the
> thing we are trying to prevent.
> </jonas>
> 
> JSONRequest requires that a server make explicit changes in order to 
> opt-in to enabling cross-site requests (GET or POST). From the 
> JSONRequest spec (http://www.json.org/JSONRequest.html):
> 
> 3. Reponses will be rejected unless they contain a JSONRequest content 
> type. This makes it impossible to use JSONRequest to obtain data from 
> insecure legacy servers.

Yes, JSONRequest makes the assumption that POSTing data cross site is 
safe as long as the posted data is of type application/jsonrequest. This 
is an assumption that I personally as well as mozilla feel very 
uncomfortable with.

This become even more of a problem if you want to scale up the 
JSONRequest spec to support other data types than JSON objects 
(something which is in the AC requirements).

That said, if you really think that it is possible to create a security 
model based on JSONRequest which supports the requirements listed in the 
AC spec, I look forward to such a proposal.

> <jonas>
> We can't make existing already deployed servers to start
> dealing with this new spec.
> </jonas>
> 
> I'm not sure what you are asking. Are you saying that we can't require 
> existing servers to make changes in order to support cross-site 
> requests? But AC also requires servers to make changes in order to 
> support at least some of its features.

I simply meant that we can't create a spec which makes currently 
deployed servers suddenly vulnerable. I.e. we have to use an opt-in 
mechanism rather than an opt-out one.

/ Jonas

Received on Thursday, 15 May 2008 15:44:05 UTC