[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC
Hallvord Reiar Michaelsen Steen
hallvord at hallvord.com
Tue Mar 22 09:42:36 PST 2005
On 21 Mar 2005 at 17:57, Chris Holland wrote:
> The X-Allow-Foreign-Hosts header we were talking about earlier,
> wouldn't lend itself to much granularity on specific resources.
I'm not sure what you mean by that - the header can be sent with a
specific URL only. You don't get much more "granular" than that,
unless I missed something?
> But let's be paranoid, and say they misconfigure their server, and all
> responses include our header. blam, /my/* is exposed, foreign
> documents can start sending authenticated queries to /my/*, and sniff
> results by crawling the resulting DOM.
It is a valid concern but it takes a seriously misconfigured server,
and even then it's only worth exploiting if the data you would find
is really valuable - something like user names and passwords or
credit card numbers, because the exploit is fairly involved (you must
know a lot to find the vulnerability in the first place, then write a
JavaScript that exploits it, then spam a million people to get a fair
number of commerce.foo.com 's customers to go to your exploit page.)
There is a certain barrier to entry when using a HTTP header that
hopefully would exclude people who don't understand what they are
doing :-) and I think a header that probably usually would be printed
out by the script handling requests to that specific URL and thus may
be more difficult to misconfigure than for the example the
complicated Mozilla-model document..
> 1) disable cookies for a ContextAgnosticHttpRequest
> 2) maintain an entirely separate cookie table for this request. the
> question then becomes, do we maintain a separate cookie table for each
> referring document? We'd essentially be considering each referring
> document to be a separate application through which a user would
> re-establish credentials to communicate with a foreign site. sounds
> rather painful.
Yes, sounds like that would really complicate browser cookie
handling. A third way would be to discard previous cookies and not
send any with the first request, but keep and send any cookies during
subsequent http communication.
I still think that though misconfiguration can have serious exploit
potential it would not be a severe problem in real life. Perhaps
other list members can step in and comment on whether that's too
optimistic?
--
Hallvord Reiar Michaelsen Steen
http://www.hallvord.com/
Note: mail to hallvors at online.no will still be read but you may want to start using
hallvord at hallvord.com instead
More information about the whatwg
mailing list