26.02.2011 00:26, Matthew A. Miller wrote:
On Feb 25, 2011, at 08:14 , Joe Hildebrand wrote:
If the redirect comes from a trusted source (e.g. over HTTPS with a verified
certificate) then this can work ok, although we've decided that the BOSH
see-other-uri error is easier to control through XMLHTTPRequest,
particularly when doing CORS.
Be careful that you don't blindly accept redirects, however, or you are
trivial to man-in-the-middle attack.
If the redirect is via HTTP 3xx+cookie, then CORS already has a solution via
Access-Control-* headers. However, the XMLHttpRequest objects in browsers
don't always let you know this happened. Maintaining the redirect then becomes
the responsibility of the browser, which may not be desirable for BOSH (I don't
think it's desirable, anyway (-: ).
If done via the "see-other-uri" BOSH error condition, then this is definitely a
concern. On the plus side, the BOSH software (whether browser-based or stand-alone)
knows a redirect is happening in this case, so you have a better opportunity to protect
yourself at the application-level.
So what is the decision? What approach should we choose?
--
Regards,
Evgeniy Khramtsov, ProcessOne.
xmpp:[email protected].
