Re: =[xhr] from Takeshi Yoshino on 2014-11-25 (public-webapps@w3.org from October to December 2014)

From: Takeshi Yoshino <tyoshino@google.com>
Date: Tue, 25 Nov 2014 13:42:25 +0900
To: Domenic Denicola <d@domenic.me>
Cc: Anne van Kesteren <annevk@annevk.nl>, Rui Prior <rprior@dcc.fc.up.pt>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>
Message-ID: <CAH9hSJaDHUGkoOVYb5QoYhYcEEW2G8nDY6gCKT=0QfT5VjUBuA@mail.gmail.com>

On Wed, Nov 19, 2014 at 1:45 AM, Domenic Denicola <d@domenic.me> wrote:

> From: annevankesteren@gmail.com [mailto:annevankesteren@gmail.com] On
> Behalf Of Anne van Kesteren
>
> > On Tue, Nov 18, 2014 at 12:50 PM, Takeshi Yoshino <tyoshino@google.com>
> wrote:
> >> How about padding the remaining bytes forcefully with e.g. 0x20 if the
> WritableStream doesn't provide enough bytes to us?
> >
> > How would that work? At some point when the browser decides it wants to
> terminate the fetch (e.g. due to timeout, tab being closed) it attempts to
> transmit a bunch of useless bytes? What if the value is really large?
>

It's a problem that we'll provide a very easy way (compared to building a
big ArrayBuffer by doubling its size repeatedly) to a malicious script to
have a user agent send very large data. So, we might want to place a limit
to the maximum size of Content-Length that doesn't hurt the benefit of
streaming upload too much.


> I think there are several different scenarios under consideration.
>
> 1. The author says Content-Length 100, writes 50 bytes, then closes the
> stream.
> 2. The author says Content-Length 100, writes 50 bytes, and never closes
> the stream.
> 3. The author says Content-Length 100, writes 150 bytes, then closes the
> stream.
> 4. The author says Content-Length 100 , writes 150 bytes, and never closes
> the stream.
>
> It would be helpful to know how most servers handle these. (Perhaps HTTP
> specifies a mandatory behavior.) My guess is that they are very capable of
> handling such situations. 2 in particular resembles a long-polling setup.
>
> As for whether we consider this kind of thing an "attack," instead of just
> a new capability, I'd love to get some security folks to weigh in. If they
> think it's indeed a bad idea, then we can discuss mitigation strategies; 3
> and 4 are easily mitigatable, whereas 1 could be addressed by an idea like
> Takeshi's. I don't think mitigating 2 makes much sense as we can't know
> when the author intends to send more data.
>

The extra 50 bytes for the case 3 and 4 should definitely be ignored by the
user agent. The user agent should probably also error the WritableStream
when extra bytes are written.

2 is useful but new situation to web apps. I agree that we should consult
security experts.

Received on Tuesday, 25 November 2014 04:43:17 UTC