Access-Control lets a web page send HTTP requests to any server. This
request includes the cookies and auth headers of the user visiting the
web page. This request can also be made to servers on intranets that sit
behind the same firewall as the user.
Designing such a specification must be done while minimizing the risk
that it will cause harm to the user and the server. Any time we design
something we really must ask ourselves the question "are we sure this
will not cause harm", it can not simply be "can someone prove that this
will cause harm". We must always fault on the side of caution. If we
fail to think of a scenario that should not break the security structure
of the internet.
With that in mind, I my question still remains; Can you provide any
evidence that your proposal will not cause harm? I.e. how can you be
sure that sending GET request to a server and include any random header,
will not cause that server to perform harmful actions?
Best Regards
/ Jonas
mike amundsen wrote:
Jonas:
Yes, the spec makes no mention of limiting HTTP Headers[1] - this is
what I expect. There is no limiting of values in the current
MLHttpRequest.setRequestHeader method and this, IMO, should continue
for the CRS version as well.
I've spent some time on this and I can't find any headers that should
be considered harmful in a CRS scenario. More to the point, I can't
see how CSR would 'make' any HTTP Header less safe, etc.
As has already been covered here, server still have the primary role
of enforcing access rights for all requests. Fiddling with the list of
allowed/disallowed HTTP Headers will not change that, right?
Maybe I am missing some scenario that has already been discussed where
HTTP Headers cause problems. Can anyone help me out on this?
Mike
[1] Header Field Definitions
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14)
On Feb 18, 2008 7:07 PM, Jonas Sicking <[EMAIL PROTECTED]> wrote:
mike amundsen wrote:
I've read some threads that lead to me think that the Mozilla plan is
to block certain HTTP Headers in their implementation of CSR. I can't
find any details on this and would like some clarification.
What, if any, HTTP Headers are going to be disallowed? Is this for all
HTTP Methods?
First off, note that there are no particular headers disallowed when
using the access-control spec in general. I.e. any headers normally sent
with a request will be sent for cross-site requests that use the
access-control spec.
We do however limit which headers can be set using the
XMLHttpRequest.setRequestHeader method. Looking at the code it currently
only allows "accept" and "accept-language". Not actually sure what this
very short list was based on. I do think we should at the very least
also allow "content-type". If you have any further suggestions for
headers that you think would be safe, do let me know.
/ Jonas
