New HTTP Access Control

So there’s a new spec for what is ambiguously called HTTP Access Control coming out of W3C and currently, I think, only supported by Firefox.  What it does is allow you to run cross-domain AJAX calls.  This means you can download a page from domain.com that has XMLHttpRequest calls to otherdomain.com.  This has always been disallowed by the Same Origin Policy.  The controls they’ve put in place are on otherdomain.com.  otherdomain.com can control which original domain’s pages can call them.  The problems are manifest.

First, otherdomain.com does its access control based on the new HTTP Header called Origin which is passed as part of the call FROM THE BROWSER.  It would be beyond trivial to fake that.  otherdomain.com doesn’t have any kind of keys set it with domain.com such that it can trust a request.  It believes whatever the user tells it.  It’s like being able to log in with no password; you just have to figure out a trusted origin domain.

Second, the only protection is for otherdomain.com.  There is none for the user, which is perhaps a bigger problem with cross domain AJAX.  Any site that’s susceptible to cross site scripting can now not only have local Javascript inserted, it can have remote calls that might do anything!  Previously, to send info to an evil server, you would have at least had to submit() a form to evil server.  The user might have noticed… even if you redirected them to a page that looked reasonable.  Now, they just pass any information you enter to their server via AJAX and allow you to continue using the same site.  No sign except the excess http requests.

Seriously, WTF?

Advertisements

2 Responses to “New HTTP Access Control”

  1. Eduardo Habkost Says:

    Previously, to send info to an evil server, you would have at least had to submit() a form to evil server.

    Really? GET requests for embedded images can contain lots of information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: