On Mar 17, 2008, at 7:52 PM, Sunava Dutta wrote:
Maciej Stachowiak [EMAIL PROTECTED] noted:
<<I think encouraging more content sniffing of text/plain on the
server side is likely to increase, not reduce attack surface.>>
If a service is defined as accepting one format, it need only accept
that format, and can reject anything else. Sniffing is not
recommended or desirable.
Such a service should reject an incorrect MIME type, which text/plain
would be for XML.
Remember, even if you allow the Content-Type to be specified by the
caller, the server has NO guarantee that the Content-Type specified
is an accurate description of the POST body content. To remain
secure, servers MUST be robust in the face of malformed input.
However, sniffing in text/plain is a whole different ball of wax.
Maciej Stachowiak [EMAIL PROTECTED] noted:
<<So far I have not heard any *specific* security risks of the
Access- Control model as compared to XDR, at least none that have
held up to closer scrutiny. Is Microsoft aware of any specific such
risks, as opposed to general concerns?>>
The Security Worries section here: http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
and the Security section here:http://www.w3.org/TR/access-control/#security
describe some of the concerns related to the Access-Control
model. We believe that the XDR model effectively mitigates the
concerns described.
Do you have any specifics? Which of those items, in particular, do you
think represent security vulnerabilities in XHR2+AC? Which are
addressed by XDR? I can do this analysis myself if necessary, but if
Microsoft is making the claim that XDR is more secure and that you
believe XHR2+AC has security vulnerabilities, I think you should
provide specific evidence to back up these claims.
(Note that these are both lists of issues that are believed to be
adequately addressed, so it is not immediately obvious which items you
believe are vulnerabilities.)
Maciej Stachowiak [EMAIL PROTECTED] noted:
<<Certainly simplicity of client-side authoring, server-side
authoring and implementation are worth discussing as well, but I
think the approaches are similar enough that simplicity in itself is
not a major security issue.>>
While simplicity alone obviously is no guarantee of security, design
complexity almost always leads to implementation bugs.
Implementation bugs in access control mechanisms lead to security
bugs.
That is true. But based on my experience writing the original
implementation of XMLHttpRequest for WebKit, and my review of the
spec, I do not think XHR2+AC rises to the level of complexity that is
highly likely to lead to implementation bugs.
Regards,
Maciej
