Re: Proposal for an extension XMLHttpRequest to allow sending files

Sam Weinig wrote:
> 
> On Jul 28, 2008, at 10:45 AM, Jonas Sicking wrote:
> 
>>
>> Arthur Barstow wrote:
>>> Hi Sam,
>>> This seems like a reasonable extension to me.
>>> A colleague asks "Are there any new security concerns by putting this 
>>> inside XHR, or is the assumption that we are not exposing anything new?"
>>> What are your thoughts on that question? I presume "not exposing 
>>> anything new" given this type of functionality is already provided 
>>> (e.g. form submission as mentioned below).
>>
>> Yes, I believe that when we implemented a similar feature in mozilla 
>> (different API though) we came to the conclusion that it didn't expose 
>> anything significantly new.
>>
>> There were a few differences though:
>> If the File object can be stored in an offline cache, this means that 
>> somebody could today be theoretically protected while inside a 
>> corporate firewall, as long as they always restart the browser before 
>> leaving that firewall. I.e. even if you were somehow tricked into 
>> choosing to upload a file, a corporate firewall could protect that 
>> data from ever reaching the server. However if the File object can be 
>> stored in a offline cache, such as localStore, then restarting the 
>> browser will not prevent this.
> 
> I am not sure this is a real attack vector, as the only local storage 
> provided are string based, so one could not store the File object itself.

As of right now yes. Though this might change in the future.

/ Jonas

Received on Tuesday, 29 July 2008 08:50:11 UTC