- From: Takeshi Yoshino <tyoshino@google.com>
- Date: Tue, 25 Nov 2014 13:42:25 +0900
- To: Domenic Denicola <d@domenic.me>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Rui Prior <rprior@dcc.fc.up.pt>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>
- Message-ID: <CAH9hSJaDHUGkoOVYb5QoYhYcEEW2G8nDY6gCKT=0QfT5VjUBuA@mail.gmail.com>
On Wed, Nov 19, 2014 at 1:45 AM, Domenic Denicola <d@domenic.me> wrote: > From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On > Behalf Of Anne van Kesteren > > > On Tue, Nov 18, 2014 at 12:50 PM, Takeshi Yoshino <tyoshino@google.com> > wrote: > >> How about padding the remaining bytes forcefully with e.g. 0x20 if the > WritableStream doesn't provide enough bytes to us? > > > > How would that work? At some point when the browser decides it wants to > terminate the fetch (e.g. due to timeout, tab being closed) it attempts to > transmit a bunch of useless bytes? What if the value is really large? > It's a problem that we'll provide a very easy way (compared to building a big ArrayBuffer by doubling its size repeatedly) to a malicious script to have a user agent send very large data. So, we might want to place a limit to the maximum size of Content-Length that doesn't hurt the benefit of streaming upload too much. > I think there are several different scenarios under consideration. > > 1. The author says Content-Length 100, writes 50 bytes, then closes the > stream. > 2. The author says Content-Length 100, writes 50 bytes, and never closes > the stream. > 3. The author says Content-Length 100, writes 150 bytes, then closes the > stream. > 4. The author says Content-Length 100 , writes 150 bytes, and never closes > the stream. > > It would be helpful to know how most servers handle these. (Perhaps HTTP > specifies a mandatory behavior.) My guess is that they are very capable of > handling such situations. 2 in particular resembles a long-polling setup. > > As for whether we consider this kind of thing an "attack," instead of just > a new capability, I'd love to get some security folks to weigh in. If they > think it's indeed a bad idea, then we can discuss mitigation strategies; 3 > and 4 are easily mitigatable, whereas 1 could be addressed by an idea like > Takeshi's. I don't think mitigating 2 makes much sense as we can't know > when the author intends to send more data. > The extra 50 bytes for the case 3 and 4 should definitely be ignored by the user agent. The user agent should probably also error the WritableStream when extra bytes are written. 2 is useful but new situation to web apps. I agree that we should consult security experts.
Received on Tuesday, 25 November 2014 04:43:17 UTC