W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR] XMLHttpRequest specification lacks security considerations

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 08 Feb 2010 18:01:18 +0100
Message-ID: <4B70435E.5030001@gmx.de>
To: Anne van Kesteren <annevk@opera.com>
CC: Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
Anne van Kesteren wrote:
>>>> - Considerations around DNS rebinding.
>>> Why would these be specific to XMLHttpRequest?
>> These indeed apply to just about any specification that uses a 
>> same-origin policy. But that's not a justification for ignoring them 
>> here.  DNS rebinding has been both obvious and overlooked for some 
>> 10-15 years, so reminding reviewers and implementers of both the 
>> security risk and the countermeasures would seem appropriate.
> But you could e.g. do this kind of attack using <img> or <form> as well. 
> It seems this problem should be pointed out in the HTTP specification.
> ...

Is re-binding == spoofing? Does 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.3> help, 
or does nit need to be updated (Thomas; HTTPbis will gladly accept your 
input ;-).

> ...
>>> It does not define the policy. It just uses it.
>> It does not define what "same-origin" means.
> That would be a bug in HTML5.
> ...

HTML5 defines when two origins are the same, but it's remarkably silent 
about the so-called "same-origin policy". The information may be there, 
but it#s not obvious where it is.

> ...

Best regards, Julian
Received on Monday, 8 February 2010 17:02:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:05 UTC