W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

XHR without user credentials (Was: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility))

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 8 Jun 2009 10:24:03 -0700
Message-ID: <5691356f0906081024r4ed4a783p15b47588fc58d2d5@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller<erights@google.com> wrote:
> On Sun, Jun 7, 2009 at 3:28 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller <erights@google.com> wrote:
>> > If the hypothesis I am raising is indeed not a problem, then it doesn't
>> > matter whether these same origin requests carry "Origin: null" or
>> > nothing.
>> > What matters is that JavaScript code have a standard way to request
>> > their
>> > browser to issue requests carrying no other credentials, even if back to
>> > the
>> > same origin.
>> Yeah, I can see that as being useful.  I encourage you to propose a
>> new API that does this.  The Origin-header-as-CSRF-defense already
>> provides for this possibility.  Is there something specific you'd like
>> me to change in the I-D to support this new API?
> Yes. I will take you up on this invitation. Thanks!

For CORS <http://www.w3.org/TR/access-control/>, and other parts of
web-apps, I think the above agreement is the important take-away from
this discussion. For sites with advertising, or other third-party
widgets, it would be nice to have a way for code to issue network
requests without impersonating the hosting page's Origin.

Received on Monday, 8 June 2009 17:24:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC