- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 20 Apr 2006 08:10:20 -0700
- To: www-dom@w3.org
I'd like to raise an issue regarding the DOM Level 2 HTML Specification, in particular HTMLFormElement.submit(). http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-76767676 HTTP has a well-defined concept of safety; http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1 whereas unsafe methods require user interaction, so that intent is assured. This is mirrored in the Architecture of the World Wide Web; http://www.w3.org/TR/webarch/#safe-interaction Unfortunately, HtmlFormElement.submit() allows scripts to make potentially unsafe requests (e.g., with POST) to arbitrary sites, as explained here; http://www.net-security.org/dl/articles/AdvancedXSS.pdf Because of this hole, any Web site that accepts an unsafe method has to take special measures to assure that the request has actually been made with the knowledge of the user. This is in conflict with both the architecture of the World-Wide Web, and the design of HTTP. It's also a Cross-Site Scripting vulnerability, and therefore should be handled as a security problem in the DOM Level 2 HTML specification. I would suggest that the remedy is to add a note or security considerations section, to the effect that unsafe requests (e.g., POST) generated from HtmlFormElement.submit() MUST be authorised by the user. User-agents MAY get such permission by allowing the user to configure a "white list" of sites, allowing the user to specify that requests to the same site are always permitted, etc. If this has been discussed / decided before, please send a reference, and apologies for the duplication. Regards, -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 20 April 2006 15:10:27 UTC