- From: Sunava Dutta <sunavad@windows.microsoft.com>
- Date: Wed, 26 Mar 2008 18:51:06 -0700
- To: "Hallvord R. M. Steen" <hallvord@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>
- CC: Eric Lawrence <ericlaw@exchange.microsoft.com>, David Ross <dross@windows.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>
XDR will not participate in HTTPS client authentication, so there is no threat here. -----Original Message----- From: public-webapi-request@w3.org [mailto:public-webapi-request@w3.org] On Behalf Of Hallvord R. M. Steen Sent: Wednesday, March 26, 2008 6:08 PM To: public-webapi@w3.org Subject: Question regarding XDR and https Hi, I understand that XDomainRequests will omit sending any cookies and HTTP-Auth to a 3rd party site. However, what happens if the 3rd party site uses SSL-based authentication instead? For example, my bank uses an SSL certificate saved in my browser. Can https://attacker.example.com now use XDR to send POST requests to my bank with my SSL credentials? If this is the case, I think XDR does increase attack surface compared to HTML form posts, because many browsers are configured to warn or inform the users when entering or leaving HTTPS sites. (Most likely everybody on this list has disabled the warning/information message years ago, but many average users will still have it enabled.) -- Hallvord R. M. Steen Core QA JavaScript tester, Opera Software http://www.opera.com/ Opera - simply the best Internet experience
Received on Thursday, 27 March 2008 01:51:15 UTC