[OpenAjaxSecurity] Fw: IE8 Ajax features announced

Kris Zyp kzyp at sitepen.com
Thu Mar 6 12:43:35 PST 2008

> My personal opinion is that it’s good enough and should put to rest the security-anxiousness but it would be great to hear what others think.

FWIW, my opinion is that it is a little too restrictive. I think there should at least small subset of allowed headers. A set of prefixed headers with a unused prefix (I have suggested XSite-*) would not cause any security problems, because they are currently not used, but it would still allow requests to include a meta data, which is semantically very useful. I have made the same suggestion for the W3C Cross-site Access Control proposal. Currently the AC proposal allows "Accept" and "Accept-Language", and I don't see how they pose any security threat either. These are important headers for content-negotiation and localization.

As far as cookies, I am fine with not allowing them, that seems like a good safe path. 

Also, the IE8 XDR doesn't support PUT and DELETE, which are important methods for proper REST interaction (and requiring credentials to be in payloads is very anathema to proper REST interaction as well). REST interfaces are certainly growing in popularity and its seems like an unnecessary limitation to prevent them.

Aside from the extent of the security imposed limitations, I believe IE8 should have at least put some due effort into trying to provide a semi-similar API to the AC proposal. IE8 could still impose their security constraints and use the XMLHttpRequest object as the AC proposal does. Having divergent APIs for cross-site requests does not seem beneficial.

Of course, the cross-document messaging is a great addition, and certainly appreciated, although I would not simply dismiss XDR shortcomings as something that can be compensated with cross-document messaging. API based interaction is not the one size fits all solution for cross-site communication, even though it seems the favored path by OA. On-the-wire communication is going to be important in the future as well.


From: security-bounces at openajax.org [mailto:security-bounces at openajax.org] On Behalf Of Jon Ferraiolo
Sent: Thursday, March 06, 2008 10:07 AM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Fw: IE8 Ajax features announced

  I am forwarding this URL which Bertrand passed our way. Microsoft has announced some of the features that will be included in IE8. Given previous the discussion on this list about W3C Access Conrol, I wanted to make sure people noticed the IE8 cross-domain request feature.

  It is quite interesting how minimalistic the IE8 cross-domain request feature is. It looks to me like the feature does not send referrer URL, does not allow setting custom HTTP headers and does not send cookies. If I am correct on these issues, then if you want to send information such as user credentials with the cross-domain request, those credentials would have to be included in a POST payload.



  Bertrand says:

  The Ajax section may be of interest to the group, in particular the Cross-document Request and Cross-document Messaging parts.
  security mailing list
  security at openajax.org


  security mailing list
  security at openajax.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080306/fe95ebd5/attachment-0001.html 

More information about the security mailing list