Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

Hi Mark, Thanks for your feedback. At a high level, you seem concerned about very advanced sites (e.g., ones use object-capability mashups). The Origin-header-as-CSRF-defense is aimed at making CSRF defense easier for simple sites. Just like you need to do complex gymnastics to avoid XSS when

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Fri, Jun 5, 2009 at 9:42 PM, Mark S. Miller erig...@google.com wrote: [+www-tag] I have received several private responses to my post, but oddly, nothing public yet. In these responses, I have been asked most frequently about: Sorry for the lag in public comments. On Wed, Jun 3, 2009 at

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 12:17 PM, Adam Barth w...@adambarth.com wrote: On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller erig...@google.com wrote: Since malicious machines, or malicious applications running on trusted machines, can sent messages that aren't self-identified as cross origin,

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote: While I clearly am concerned about object-capability mashups, from your response, and from some private responses I've received, I have clearly created some confusion by leading with this example. The point I am making

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller erig...@google.com wrote: If the hypothesis I am raising is indeed not a problem, then it doesn't matter whether these same origin requests carry Origin: null or nothing. What matters is that JavaScript code have a standard way to request their

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

[- all but Adam and pubic-webapps] On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth w...@adambarth.com wrote: On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote: If servers at A don't freely hand out such tokens in response to guessable GET requests, then the secret token

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 3:46 PM, Mark S. Miller erig...@google.com wrote: [- all but Adam and pubic-webapps] On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth w...@adambarth.com wrote: On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote: If servers at A don't freely hand out

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth w...@adambarth.com wrote: GET really doesn't have anything to do with it. The attacker can issue POST requests (and really any other method) too. Note that the attacker can read the response and follow any links, etc. Recall that we were examining

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller erig...@google.com wrote: On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth w...@adambarth.com wrote: GET really doesn't have anything to do with it.  The attacker can issue POST requests (and really any other method) too.  Note that the attacker can

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth w...@adambarth.com wrote: Right, but once the attacker has XSSed site A, the attacker learns the secret token necessary to issue the next request in the chain to site A regardless of the method. Recall that this is in response to On Sun, Jun 7,