- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 19 Jan 2010 08:01:12 +0100
- To: W3C WebApps WG <public-webapps@w3.org>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
With apologies for the belated Last Call comment -- the XMLHttpRequest specification http://www.w3.org/TR/XMLHttpRequest/ ... doesn't have meaningful security considerations. Section 3 should at the very least spell out: - Somewhat detailed considerations around CONNECT, TRACE, and TRACK (flagged in the text of the specification, but not called out in the security section; 4.6.1). - Considerations around DNS rebinding. - Some explanation for the "security reasons" that are mentioned in section 4.6.2 (setRequestHeader). - The rationale for the handling of HTTP redirects in section 4.6.4. - The fact that this specification normatively defines the same-origin policy as it applies to network access within browsers (section 4.6.1; though that mostly refers to HTML5 these days) Related to this, what is the rationale for making the following (explicitly security-relevant) conformance clauses SHOULD, not MUST? ** 4.6.1 If method is a case-sensitive match for CONNECT, TRACE, or TRACK the user agent should raise a SECURITY_ERR exception and terminate these steps. If the origin of url is not same origin with the XMLHttpRequest origin the user agent should raise a SECURITY_ERR exception and terminate these steps. ** 4.6.2 For security reasons, these steps should be terminated if header is an ASCII case-insensitive match for one of the following headers: ... -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 19 January 2010 07:01:16 UTC