- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 22 May 2008 20:39:08 +0000 (UTC)
- To: Chris Wilson <Chris.Wilson@microsoft.com>
- Cc: "arun@mozilla.com" <arun@mozilla.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
On Thu, 22 May 2008, Chris Wilson wrote: > > In both XHR2+AC and Flash's policy file approach, the "allow > credentials" and the actual access to data occur in separate network > transactions, and likely (but not guaranteed, of course) separate > network connections. This enables the vector of DNS attacks - the idea > being that between those two connections, an attacker could insert > themselves in to the stream. (Actually, more likely it would be the > other way around - an attacker would insert themselves into the stream, > give back "it's okay to do x-domain", then release and let the real site > give back data. > > XDR, by contrast, performs the "access check" in effect on the same > connection, since it's not a multi-part negotiation. I think you're misunderstanding what it is that the preflight check does. In XHR/AC, the preflight is a check to ensure that the server is willing to receive the request in the first place. XDR doesn't check for this at all (it's why it is possible to use XDR to POST to unsuspecting intranet servers, something you can't do with XHR unless the intranet server only supports HTTP 1.0 and thus doesn't check Host: headers). In both XDR _and_ XHR/AC, the response is checked for the correct magic bits before any data is returned to the client. The security check is still done on the response, the data from the original OPTIONS request isn't used to determine whether or not to return data to the client. In any case, if your DNS infrastructure has been compromised to the level that you describe then all of this is moot. If you can control what arbitrary hosts resolve to then there are much more effective attack scenarios, such as taking over the JS file that does all the XHRing in the first place, or stealing the user's credentials or cookies directly. Talking about DNS rebind attacks against XHR's OPTIONS infrastructure is like talking about whether to use bullet-proof glass or shatter-free glass on the front of a hot dog stand. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 22 May 2008 20:40:02 UTC