On Jan 9, 2010, at 7:23 AM, Tyler Close wrote:
If the response can be parsed as ECMAScript, an attacker can break
confidentiality by loading the document using a <script> tag.
I don't think this is a valid argument for potentially breaking
confidentiality for content that is not parseable as ECMAScript.
Browsers consider it a security hole when client-side script can
access HTML or XML cross-domain in the same way as JavaScript or CSS.
Also, for any media-type, the attacker can mount a clickjacking attack
against this design. Since in general this design cannot be made safe,
I think it's better to not support it at all in the security model, by
allowing a uniform request to follow a non-uniform redirect.
It used to be that UMP was a subset of CORS (in the sense that some
request headers and some processing of allowed responses is removed,
but otherwise the model is the same). This feature moves us away from
that. We've also had a proposal for XHR2 to support UMP or a UMP-like
mode before, but now it seems like the intent is to provide a
completely separate UniformRequest API. I am concerned that this area
of work, which started out with the potential to integrate nicely with
existing specs, is becoming a parallel universe.
A security model that works for some media-types but not others is
just
too bizarre to explain to developers. This choice doesn't endanger
existing resources, since CORS also allows a cross-origin request to
follow a redirect that has not opted out of the Same Origin Policy.
Maybe I'm misreading CORS, but that doesn't seem to be the case. Note
step 4 here:
http://www.w3.org/TR/access-control/#redirect-steps
Regards,
Maciej
