- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 08 Jun 2006 14:56:51 +0200
- To: Public Web API <public-webapi@w3.org>
Hi, I'd like to pick up the discussion I started several weeks ago (see <http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0305.html> and copy below)... In the meantime I've discussed the issue with Roy F., and we also talked about it over on Mark Nottingham's blog (see <http://www.mnot.net/blog/2006/04/20/form.submit>). I'm still convinced that a user agent that allows an HTML page to submit an unsafe method (such as POST, DELETE or PUT) without explicit user interaction is buggy. This applies both to form.submit and XHR. Best regards, Julian -- quote -- while discussing RFC2518bis, the IETF WebDAV WG got feedback ([1]) pointing out a potential attack scenario that hasn't been discussed before a lot, and mainly depends on three factors: - HTTP methods such as PUT or DELETE that may overwrite/delete existing content - collaborative authoring of web resources by different users on the same site (so this is *not* about cross site attacks) - presence of scriptable HTTP components in browsers (XHR). Summary (from [2]): > The XmlHttpRequest object (implemented now in all current browsers) allows > issueing arbitrary HTTP (and WebDAV) requests under the credentials of the > authenticated user, in particular the DELETE method. > > If user A prepares an HTML page containing code that will issue a DELETE request > against one of user B's resources, and tricks him/her into navigating to that > page, the browser will issue the DELETE request with B's credentials (no > confirmation required). At this point the WebDAV working group really doesn't know what to do with this, except for potentially adding it to the Security Considerations in RFC2518bis. On the other hand, this isn't really specific to WebDAV (being based on HTTP PUT/DELETE and XHR-like functionality), so maybe somebody over here has some idea how to deal with it. Best regards, Julian [1] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2006JanMar/0701.html> [2] <http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=237> Received on Friday, 14 April 2006 11:00:06 GMT --
Received on Thursday, 8 June 2006 12:57:01 UTC