Friday, June 27th, 2008
A few proposals and implementations exist like XDomainRequest in IE8, JSONRequest and the W3Câ€™s Web Applications Working Groupâ€™s Cross Site XMLHttpRequest (CS-XHR) draft specification, which combines an Access control framework with XMLHttpRequest or other features. While XDomainRequest is focused on enabling anonymous access of third party public data, Cross Site XMLHttpRequest has added functionality and consequently enables a broader set of scenarios that may appeal to the developer who may choose to use cross domain authentication and access control among other features. As can be expected with securing a large cross section of cross domain scenarios, a number of concerns have been identified with the CS-XHR draft by the web development community, the IE team members and members of the Web Apps Working Group. For a list of our recent feedback on security on CS-XHR and our take on important security principles in cross domain, please read our Security Whitepaper on Cross Domain. The paper also covers best practices and guidance for developers who will choose to build on the current draft if itâ€™s supported by a future browser.
The community quickly jumped on this in the comments, and beyond.
Anne van Kesteren said:
After half a year of waiting Microsoft finally posted their feedback on Access Control for Cross-Site Requests and specifically the way
XMLHttpRequestLevel 2 works with that. Microsoft blogged about this event. I suggest people read this rebuttal from Jonas on the paper Microsoft published. To be clear, while the specifications are not entirely finalized nobody has so far put forward a viable attack scenario that does not already apply when these technologies are not supported by user agents.
As linked from Anne, Jonas posted nice feedback:
I’ll start with a mini FAQ to avoid repeating myself below:
Why is the PEP in the client rather than the server?
In order to protect legacy servers some of the enforcement will have to live in the client. We can’t expect existing legacy servers to all of a sudden enforce something that they haven’t before.
In fact, even XDR using client side PEP. It’s the client that looks for the XDomainRequest header and denies the webpage access to the data if the header is not there.
In fact, Access-Control does allow full PEP on the server if it so chooses by providing an “Origin” header.
Is Access-Control designed with “Security by design”
Yes. In many ways. For example Access-Control does not allow any requests to be sent to the server that aren’t already possible today, unless the server explicitly asks to receive them.
Additionally Access-Control sets up a safe way to transfer private data. This prevents sites from having to invent their own which risks them inventing something less safe.
Thirdly, Access-Control integrates well with the existing HTTP architecture of the web by supporting REST apis and the Content-Type header. This allows existing security infrastructure to inspect and understand Access-Control requests properly.
What about DNS rebinding attacks.
Even with DNS rebinding attacks Access-Control is designed not to allow any requests which are not possible already in todays web platform as implemented in all major browsers.
Especially the last point is something that seems to have been misunderstood at Microsoft. It is not the case that DNS rebinding attacks affect Access-Control any different than it affects the rest of the web platform.
Posted by Dion Almaer at 9:24 am