On Mar 17, 2008, at 2:29 PM, Sunava Dutta wrote:
Maciej Stachowiak [EMAIL PROTECTED] said:
<<But not exactly identical, since forms can't be used to POST XML
content with a proper MIME type cross-domain.>>
You're right-- setting an arbitrary request content-type is a
capability not present in HTML forms today. While we believe that
this is a minimal increase in attack surface, we agree that it's
worth considering whether or not such capability should be removed.
If removed, all XDR POST requests could be sent with:
Content-Type: text/plain; charset=UTF-8
Servers would then be flexible in interpreting the data in the
higher-level format they expect (JSON, XML, etc).
I think encouraging more content sniffing of text/plain on the server
side is likely to increase, not reduce attack surface.
Maciej Stachowiak [EMAIL PROTECTED] asked:
<<What I'd like to understand is whether there are security benefits
to the API and protocol differences.>>
We believe that the XDR proposal represents a simpler mechanism for
enabling the most commonly requested types of cross-domain access.
We believe that such simplicity will lead to improved security in
practical implementations by browsers.
There are many threats against a cross-domain communication
mechanism, so we believe the simplicity of XDR makes it more
suitable than attempting to plumb cross-domain capabilities into the
existing XHR object. In particular, we are concerned that
attempting to introduce new restrictions/added complexity on an XHR
object when it is used in a cross-domain manner will result in a
confusing programming model for the web developer.
So far I have not heard any *specific* security risks of the Access-
Control model as compared to XDR, at least none that have held up to
closer scrutiny. Is Microsoft aware of any specific such risks, as
opposed to general concerns?
Certainly simplicity of client-side authoring, server-side authoring
and implementation are worth discussing as well, but I think the
approaches are similar enough that simplicity in itself is not a major
security issue.
Regards,
Maciej
