[XHR] XMLHttpRequest specification lacks security considerations

With apologies for the belated Last Call comment -- the XMLHttpRequest specification
  http://www.w3.org/TR/XMLHttpRequest/

... doesn't have meaningful security considerations.


Section 3 should at the very least spell out:

- Somewhat detailed considerations around CONNECT, TRACE, and TRACK (flagged in the text of the specification, but not called out in the security section; 4.6.1).
- Considerations around DNS rebinding.
- Some explanation for the "security reasons" that are mentioned in section 4.6.2 (setRequestHeader).
- The rationale for the handling of HTTP redirects in section 4.6.4.
- The fact that this specification normatively defines the same-origin policy as it applies to network access within browsers (section 4.6.1; though that mostly refers to HTML5 these days)



Related to this, what is the rationale for making the following (explicitly security-relevant) conformance clauses SHOULD, not MUST?

** 4.6.1

If method is a case-sensitive match for CONNECT, TRACE, or TRACK the user agent should raise a SECURITY_ERR exception and terminate these steps.

If the origin of url is not same origin with the XMLHttpRequest origin the user agent should raise a SECURITY_ERR exception and terminate these steps.

** 4.6.2

For security reasons, these steps should be terminated if header is an ASCII case-insensitive match for one of the following headers:
...


--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 19 January 2010 07:01:16 UTC