[html5] r4641 - [at] (0) warn about a possible security problem if you don't check the websocket [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Feb 1 03:17:01 PST 2010 

Author: ianh
Date: 2010-02-01 03:16:57 -0800 (Mon, 01 Feb 2010)
New Revision: 4641

Modified:
   complete.html
   source
Log:
[at] (0) warn about a possible security problem if you don't check the websocket handshake carefully on the server.

Modified: complete.html
===================================================================
--- complete.html	2010-02-01 08:41:35 UTC (rev 4640)
+++ complete.html	2010-02-01 11:16:57 UTC (rev 4641)
@@ -68234,6 +68234,18 @@
     purposes. Their semantics are equivalent to the semantics of the
     HTTP headers with the same names.</p>
 
+    <p class=warning>If a server reads fields for authentication
+    purposes (such as <code title="">Cookie</code>"), or if a server
+    assumes that its clients are authorized on the basis that they can
+    connect (e.g. because they are on an intranet firewalled from the
+    public Internet), then the server should also verify that the
+    client's handshake includes the invariant "Upgrade" and
+    "Connection" parts of the handshake. Otherwise, an attacker could
+    trick a client into sending Web Socket frames to a server
+    (e.g. using <code>XMLHttpRequest</code>) and cause the server to
+    perform actions on behalf of the user without the user's
+    consent.</p>
+
    </dd>
 
   </dl><p>A final field consisting of the empty string (two consecutive

Modified: source
===================================================================
--- source	2010-02-01 08:41:35 UTC (rev 4640)
+++ source	2010-02-01 11:16:57 UTC (rev 4641)
@@ -77898,6 +77898,18 @@
     purposes. Their semantics are equivalent to the semantics of the
     HTTP headers with the same names.</p>
 
+    <p class="warning">If a server reads fields for authentication
+    purposes (such as <code title="">Cookie</code>"), or if a server
+    assumes that its clients are authorized on the basis that they can
+    connect (e.g. because they are on an intranet firewalled from the
+    public Internet), then the server should also verify that the
+    client's handshake includes the invariant "Upgrade" and
+    "Connection" parts of the handshake. Otherwise, an attacker could
+    trick a client into sending Web Socket frames to a server
+    (e.g. using <code>XMLHttpRequest</code>) and cause the server to
+    perform actions on behalf of the user without the user's
+    consent.</p>
+
    </dd>
 
   </dl>

More information about the Commit-Watchers mailing list