Re: [AC] Preflight-less POST
Anne van Kesteren wrote: On Thu, 10 Jul 2008 13:21:33 +0200, Jonas Sicking [EMAIL PROTECTED] wrote: Yes, I had gotten the impression that Flash would allow POSTs even if there was no /crossdomain.xml file. I.e. that it would allow the actual POST even if the preflight failed, it just wouldn't let you read the data. If I'm wrong that definitely changes things and makes option 1 much less viable. It seems Björn has some other data than I have. I used the following simple page together with request sniffing http://blog.monstuff.com/Flash4AJAX/static/Xdomain.html to figure out if everything had a preflight /crossdomain.xml GET request. Using Flash 9 on Ubuntu this appeared to be the case. Just allowing cross-site POST when Content-Type is application/x-www-form-urlencoded or text/plain seems bad as it a) encourages bad design to avoid a preflight and b) makes whitelisting even more fine-grained. Initially the distinction was just on methods, then it became headers, going further down to header values seems like a bad idea to me. I'd much rather go back to just GET versus everything else (i.e., methods). I agree it's bad, the question is if it's worse than option 3, which is to not have IE compatibility. True. Another point to consider here is if we want compatibility with HTML forms Web Forms as using Access Control would enable more functionality for ordinary forms as well, such as exposing cross-site return data and allowing the CHICKEN method. Indeed. Though option 1 would also allow us to do that. / Jonas
[AC] Preflight-less POST
Hi All, During the F2F we talked about doing preflight-less POSTs in order to be compatible with microsofts security model and allow them follow the AC spec for their feature set. Unfortunately when I brought this up at mozilla there was concern about doing cross-site POSTing with content types other than what forms already allow. The concern was that it could make servers exploitable, which weren't today. So I see a few ways forward: 1. Build more confidence about that this would not in fact break servers. I'm working on this method. I've contacted Adobe since I think flash currently allow cross-site POSTing with arbitrary Content-Types. I've also contacted Microsoft to see if they have gotten any feedback on IE8 Beta 1 where XDR allow arbitrary content types to see if they have gotten any feedback there. Silverlight also support this feature. I'd also like to make a general shout-out here to see how people feel about this, or if they know of any other protocols that send arbitrary Content-Types with cross-site POSTs that we could use to gather data about if this makes sites exploitable. If anyone has pointers to any research that has been done on flash in general, or its cross-site posting mechanism in particular would be great, even if it doesn't mention this specific issue. 2. Don't require pre-flight for POSTs 'text/plain', but require it otherwise. The downside of this solution is that it encourages people to use 'text/plain' as Content-Type for everything they send which has its downsides. The upshot is that this would still allow compat with XDR. 3. Always pre-flight POSTs This would abandon any hope of allowing XDR to use Access-Control as securit protocol. Unless microsoft were able to implement preflights in IE8, but it seems like it's really late in their release schedule for such a large change. One thing that I really like about proposal 1 is the simplicity. We would say POST can be done cross origin without any checking, so you need to protect yourself against that. Any other proposal is basically POST can be done cross origin without any checking, but only for these here values of the 'Content-Type' header. Except that it looks like in Access-Control you can rely on those requests not coming in. Oh, and if you are concerned about users of Flash and Silverlight being exploitable you do need to worry about all values for 'Content-Type'. / Jonas
