On Wed, 16 Jan 2008 01:34:08 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
If we are still talking about <img>, <script>, etc, then I would argue
that the type of the request isn't identical because these are GET
requests,
whereas the scenario I described is a POST request. So, if a server only
supports POST for data insert/update/delete operations (which is
recommended best practice, therefore a good number of sites will do
this), then <img> and <script> cannot do any harm.
Before you can even issue a POST the server first needs to reply to a
preflicht OPTIONS request in the right way. (The access control POST is
therefore a whole lot more secure than a the <form> POST we already have.
Even though they are almost identical.)
Also, with
Access-Control-powered XHR, meaningful data can be retrieved from the
other-domain server leveraging any cookies that apply to the other
domain,
Cookies in the response are not exposed. Please carefully study the
specification.
whereas with <img> the JavaScript will not receive any data and with
<script> data can only be received if it is formatted as JSON (or other
JavaScript). Therefore, there are indeed new opportunities for doing bad
things, including new CSRF opportunities, because the current draft says
the browser should send cookies.
Cookies are sent in the request, yes. The cookies in the response are not
exposed. The response itself is protected by the opt-in access control
mechanism.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
