Re: [XHR] XMLHttpRequest specification lacks security considerations

Anne van Kesteren wrote:
>>>> - Considerations around DNS rebinding.
>>>
>>> Why would these be specific to XMLHttpRequest?
>>
>> These indeed apply to just about any specification that uses a 
>> same-origin policy. But that's not a justification for ignoring them 
>> here.  DNS rebinding has been both obvious and overlooked for some 
>> 10-15 years, so reminding reviewers and implementers of both the 
>> security risk and the countermeasures would seem appropriate.
> 
> But you could e.g. do this kind of attack using <img> or <form> as well. 
> It seems this problem should be pointed out in the HTTP specification.
> ...

Is re-binding == spoofing? Does 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.3> help, 
or does nit need to be updated (Thomas; HTTPbis will gladly accept your 
input ;-).

> ...
>>> It does not define the policy. It just uses it.
>>
>> It does not define what "same-origin" means.
> 
> That would be a bug in HTML5.
> ...

HTML5 defines when two origins are the same, but it's remarkably silent 
about the so-called "same-origin policy". The information may be there, 
but it#s not obvious where it is.

> ...

Best regards, Julian

Received on Monday, 8 February 2010 17:02:03 UTC