On Jul 28, 2008, at 10:45 AM, Jonas Sicking wrote:
Arthur Barstow wrote:
Hi Sam,
This seems like a reasonable extension to me.
A colleague asks "Are there any new security concerns by putting
this inside XHR, or is the assumption that we are not exposing
anything new?"
What are your thoughts on that question? I presume "not exposing
anything new" given this type of functionality is already provided
(e.g. form submission as mentioned below).
Yes, I believe that when we implemented a similar feature in mozilla
(different API though) we came to the conclusion that it didn't
expose anything significantly new.
There were a few differences though:
If the File object can be stored in an offline cache, this means
that somebody could today be theoretically protected while inside a
corporate firewall, as long as they always restart the browser
before leaving that firewall. I.e. even if you were somehow tricked
into choosing to upload a file, a corporate firewall could protect
that data from ever reaching the server. However if the File object
can be stored in a offline cache, such as localStore, then
restarting the browser will not prevent this.
I am not sure this is a real attack vector, as the only local storage
provided are string based, so one could not store the File object
itself.
Same holds true if a File object can be used to directly read data
out from the file.
This would be the real vector.
So while File upload through XHR on its own does not seem to cause
any security issues. There are some theoretical attacks where it can
be used in combination with other things.
However at mozilla we did not consider these new attacks likely
enough that it prevented us from implementing the feature. The main
line of defense is the browser UI that lets you choose a file to
upload. If that doesn't protect the user well enough, the user is in
the vast majority of cases compromised anyway.
Agreed.
/ Jonas
- Sam
