- From: Sam Weinig <weinig@apple.com>
- Date: Mon, 28 Jul 2008 11:08:49 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Arthur Barstow <art.barstow@nokia.com>, Web Applications Working Group WG <public-webapps@w3.org>
On Jul 28, 2008, at 10:45 AM, Jonas Sicking wrote: > > Arthur Barstow wrote: >> Hi Sam, >> This seems like a reasonable extension to me. >> A colleague asks "Are there any new security concerns by putting >> this inside XHR, or is the assumption that we are not exposing >> anything new?" >> What are your thoughts on that question? I presume "not exposing >> anything new" given this type of functionality is already provided >> (e.g. form submission as mentioned below). > > Yes, I believe that when we implemented a similar feature in mozilla > (different API though) we came to the conclusion that it didn't > expose anything significantly new. > > There were a few differences though: > If the File object can be stored in an offline cache, this means > that somebody could today be theoretically protected while inside a > corporate firewall, as long as they always restart the browser > before leaving that firewall. I.e. even if you were somehow tricked > into choosing to upload a file, a corporate firewall could protect > that data from ever reaching the server. However if the File object > can be stored in a offline cache, such as localStore, then > restarting the browser will not prevent this. I am not sure this is a real attack vector, as the only local storage provided are string based, so one could not store the File object itself. > > Same holds true if a File object can be used to directly read data > out from the file. This would be the real vector. > > > So while File upload through XHR on its own does not seem to cause > any security issues. There are some theoretical attacks where it can > be used in combination with other things. > > However at mozilla we did not consider these new attacks likely > enough that it prevented us from implementing the feature. The main > line of defense is the browser UI that lets you choose a file to > upload. If that doesn't protect the user well enough, the user is in > the vast majority of cases compromised anyway. Agreed. > > / Jonas > - Sam
Received on Monday, 28 July 2008 18:09:30 UTC