Re: [XHR2] new XMLHttpRequest(anon)

On Feb 17, 2010, at 2:33 AM, Jonas Sicking wrote:

> The goal is to minimize risk that people make mistakes. No one is
> disputing that if everyone writes perfect code there won't be security
> issues. The problem is that people tend to not write perfect code.
> That is the whole reason for having credential-less requests. So that
> you know that if you never opt in to allowing credentials, there is no
> need to audit the code to ensure that credentials are ignored in the
> appropriate places.
> I do sort of like the idea that UMP is the "credential less model".
> I.e. that we essentially have two modes: UMP, with no user credentials
> (cookies, auth headers, etc) and no server credentials (origin
> header), and full on with-credentials (with cookies, origin etc).

I agree that two modes is tempting. But I think the middle mode has  
some valid uses. I mention some below, and there is also the fact that  
it exactly matches what is implemented in XDomainRequest.

> There are a few problems however:
> * Need to figure out the syntax to choose between the two modes
> * UMP doesn't include the referer header (right?). I suspect sites
> will be sad about this as it is often used for things not related to
> security. Possibly they'll be sad enough that they'll opt in to
> credentials just to get the referrer header sent. That defeats the
> purpose of having credential less requests.

Even when Referer is stripped, sites may find Origin useful for  
purposes of logging traffic, or for restricting cross-site access over  
the Web if a particular site is issuing an abusive level of requests.  
They may want to do this even for resources that do not require  
credentials to access.

> * Same-site XHR defaults to with-credentials. But cross-site I
> strongly want to default to without credentials. This complicates the
> syntax issue.

Another thing to think about: if any content is doing cross-site  
access without credentials currently, then they are likely using XHR  
without a special constructor, and the server is likely responding  
with "Access-Control-Allow-Origin: *", and without sending "Access- 
Control-Allow-Credentials: true". If we change cross-site XHR to  
default to credentials, then all content will break, until at least  
one of the client code or the server changes. Because if a request is  
sent with credentials, the response will not be revealed unless the  
server sends "Access-Control-Allow-Credentials: true".

On the other hand, if there are servers that are not checking  
credentials doing any filtering or logging based on the sender's  
Origin, then they will break if you default to the UMP model.

I think we've been shipping this too long to casually break such sites  
without looking at the impact. It's also possible that by changing the  
security model out from under running code, we will introduce a  
security hole.


Received on Wednesday, 17 February 2010 11:38:04 UTC