If we are still talking about <img>, <script>, etc, then I would argue that the type of the request isn't identical because these are GET requests, whereas the scenario I described is a POST request. So, if a server only supports POST for data insert/update/delete operations (which is recommended best practice, therefore a good number of sites will do this), then <img> and <script> cannot do any harm. Also, with Access-Control-powered XHR, meaningful data can be retrieved from the other-domain server leveraging any cookies that apply to the other domain, whereas with <img> the JavaScript will not receive any data and with <script> data can only be received if it is formatted as JSON (or other JavaScript). Therefore, there are indeed new opportunities for doing bad things, including new CSRF opportunities, because the current draft says the browser should send cookies.
"Anne van
Kesteren"
<[EMAIL PROTECTED] To
> "David Orchard" <[EMAIL PROTECTED]>
Sent by: cc
public-appformats "WAF WG (public)"
[EMAIL PROTECTED] <[email protected]>
Subject
Re: ISSUE 19: Requirements and
01/15/2008 12:09 Usage Scenarios document
PM
On Tue, 15 Jan 2008 17:44:35 +0100, David Orchard <[EMAIL PROTECTED]> wrote:
> If Cookies would be sent as part of more requests because of deployment
> of the Access Control spec, then isn't this spec opening a new attack
> vector? I understand your point that cookies are already sent under
> img, script and form, but this is something newer and in addition to
> those.
I think I disagree. The (type of) request is identical. Especially since
it's about the request and not about the protocol that issues the request.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
<<inline: graycol.gif>>
<<inline: pic13508.gif>>
<<inline: ecblank.gif>>
