Security/Reviews/XHRnonpost

From MozillaWiki
Jump to: navigation, search

Items to be reviewed

Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time]

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Notes for security review of HTTP redirect behavior changes julian.reschke@gmx.de, 2012-01-06

1) When an HTTP request is redirected, what is the right HTTP method to use for the redirected request?

2) When a redirect happens, when should the UA prompt?

3) Prompting in general

  • Bug: <https://bugzilla.mozilla.org/show_bug.cgi?id=677754>
  • Some people say the UA should not prompt at all.
  • If XHR does not prompt, it should return the 3xx to the caller letting it decide how to proceed.
  • I believe 3) is important, but can be discussed and changed at a later point.
    • downside to 3) is that XHR-using script authors (or library authors) might not be smart about it.
  • on the topic of redirect prompting in IE -- tested with <http://www.mnot.net/javascript/xmlhttprequest/>; it does not appear to prompt for unsafe methods

4) Status Code 308

What solutions/approaches were considered other than the proposed solution?

  • closer adherence to standard

Why was this solution chosen?

  • closer adherence to the revised HTTP standard

Any security threats already considered in the design and why?

  • lots of stuff around redirects has been done before

Threat Brainstorming (30-40 minutes)

  • relevant to 1) and 2) please see also https://bugzilla.mozilla.org/show_bug.cgi?id=573873
    • which stopped plugins following a cross domain 307 altogether. jonas asks that whatever decisions we make avoid reintroducing this problem.
    • (jre: whatever the solution for 307 is should be the same for 301/302...)

Conclusions / Action Items (10-20 minutes)

  • [jonas / someone] 301/302 could go three ways: switch to IE behavior, stick with "historical" rewriting assuming dumb servers, or don't follow the redirect at all (return the 30x to script?)
    • needs to be done with other browser vendors
  • [mozsec / chrome(?)] survey of redirectors in-the-wild -- are they sane or not? (re: 301/302 non-GET/POST methods)
  • [dveditz] bug for redirect intentions for a moved resource

Historical Information

Items to be reviewed

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

2) When a redirect happens, when should the UA prompt?