Re: call for reviewers: XMLHttpRequest Last Call from sird@rckc.at on 2009-12-06 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Mon, 7 Dec 2009 00:19:59 +0800
To: Thomas Roessler <tlr@w3.org>
Cc: public-web-security@w3.org
Message-ID: <8ba534860912060819y3626f194la677a8a642b4a1bd@mail.gmail.com>

Comments..

1.- The section 4.6.2 on step 5 I think should include other headers like
User_Agent (with _ instead of -), Content_Length, etc.. Same for Proxy_ and
Sec_ since Apache sortof sucks.. and Range/Request Range, and etc.. as shown
by kuza55 on some ppt some time ago.

2.- 4.6.3 is not clear. It is obvious the UA should check first for which
type of authentication, but then if I read correctly you allow the script to
set their own Authentication header via setRequestHeader.. but if the header
is missing then you fall down to the 4th and 5th arguments of open.

This makes the UA to make 2 requests [one to know the auth method and the
other to do the real request]?

Both requests have the data sent by send() (before and after 401)?

What about redirects that require different Authentication methods?

If the user is now under (for example) a digest auth session, but the
page/redirected page responds with Authentication: Basic, does the UA should
prompt the user for user/password again? This is a dangerous downgrade
attack (think active network attackers).

If the session already has a username/password HTTP auth session and open()
has user/pass? it should be replaced by the new one? Are you sure? Are you
really sure?

There are several attack scenarios there.. and unless I missed something in
my opinion the specification is not specific enough =/

3.- Do you really want to return to the user ALL http headers with
getAllResponseHeaders? think on Set-Cookie + httpOnly

Anyway.. just a few thoughts..

Greetings!!

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, Zhejiang, China

On Sun, Dec 6, 2009 at 8:35 PM, Thomas Roessler <tlr@w3.org> wrote:

> The XMLHttpRequest spec is in Last Call till 16 December:
>
> > XMLHttpRequest
> > W3C Working Draft 19 November 2009
> > This Version:
> >       http://www.w3.org/TR/2009/WD-XMLHttpRequest-20091119/
>
> A review from a security perspective would be a Good Thing.
>
> Particularly interesting pieces:
>
> - this is the place where the same origin policy for XMLHttpRequest is
> defined
> - behavior upon redirects
> - needs security considerations on, e.g., DNS rebinding
>
> Any takers?
>
> Thanks,
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>
>
>
>
>
>
>
>
>

Received on Sunday, 6 December 2009 16:20:59 UTC