- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 27 May 2008 18:40:02 +0200
- To: Chris Wilson <Chris.Wilson@microsoft.com>
- Cc: public-webapi@w3.org, public-appformats@w3.org
* Chris Wilson wrote: >In both XHR2+AC and Flash's policy file approach, the "allow >credentials" and the actual access to data occur in separate network >transactions, and likely (but not guaranteed, of course) separate >network connections. This enables the vector of DNS attacks - the idea >being that between those two connections, an attacker could insert >themselves in to the stream. (Actually, more likely it would be the >other way around - an attacker would insert themselves into the stream, >give back "it's okay to do x-domain", then release and let the real site >give back data. It is insufficient to describe what an attacker could do, you have to show that an attacker can compromise a system only because of the new feature. The attack you describe transforms cross site requests into same origin requests, instead of injecting a spoofed OPTIONS response the attacker could just as well inject a spoofed GET response and have a script included that then has same-origin access to the site. What you describe is essentially as powerful as a XSS vulnerability. There may well be attack vectors that have not yet been considered, but this is not one of them. >XDR, by contrast, performs the "access check" in effect on the same >connection, since it's not a multi-part negotiation. If true, this is actually only so due to some undocumented implemen- tation detail. At the moment the XDR implementation in the IE8 Beta agressively bypasses caches, otherwise it would be vulnerable to the "attack" you describe above because the attacker could inject a 304 response that updates the XDR header in a cached response and the browser would then grant access to it despite the victim forbidding that. As I understand it, "XHR2+AC" implementers want to cache the responses, so I would expect them to by actually "vulnerable", but see above. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Tuesday, 27 May 2008 16:40:39 UTC