- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 08 Feb 2010 18:01:18 +0100
- To: Anne van Kesteren <annevk@opera.com>
- CC: Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
Anne van Kesteren wrote: >>>> - Considerations around DNS rebinding. >>> >>> Why would these be specific to XMLHttpRequest? >> >> These indeed apply to just about any specification that uses a >> same-origin policy. But that's not a justification for ignoring them >> here. DNS rebinding has been both obvious and overlooked for some >> 10-15 years, so reminding reviewers and implementers of both the >> security risk and the countermeasures would seem appropriate. > > But you could e.g. do this kind of attack using <img> or <form> as well. > It seems this problem should be pointed out in the HTTP specification. > ... Is re-binding == spoofing? Does <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.3> help, or does nit need to be updated (Thomas; HTTPbis will gladly accept your input ;-). > ... >>> It does not define the policy. It just uses it. >> >> It does not define what "same-origin" means. > > That would be a bug in HTML5. > ... HTML5 defines when two origins are the same, but it's remarkably silent about the so-called "same-origin policy". The information may be there, but it#s not obvious where it is. > ... Best regards, Julian
Received on Monday, 8 February 2010 17:02:03 UTC