: Etherpad users! We are developing an extension that will allow you to create pages from etherpads quickly and easily. Please visit our sandbox and help us test it.


From MozillaWiki
Jump to: navigation, search

Server Sent DOM Events 2011.06.27

Introduce Feature

  • Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
    • support data that a server can push to a web page
    • only supports http[s] today but could support other protocols in the future
  • What solutions/approaches were considered other than the proposed solution?
    • multi-part xmlhttp is also being implemented as other browsers support this
    • websockets (which are two-way) requires big changes to servers
  • Why was this solution chosen?
  • Any security threats already considered in the design and why?
    • same domain connections


  • does support for http mean we also support https?
    • yes but should be tested and confirmed as correct
  • content has to opt-in to receive messages?
    • event source object receives the messages
      • it's not in the document tree, so there's no capture/bubbling phase
  • two parallel listeners... what happens?
    • both get a reference to the same event (no race condition)
    • do they share a (network) connection, or are there multiple connections opened?
      • Different connections? TODO: check to make sure they both see the same event object in the client.
      • even if they are in different pages??? <-- good question, maybe separate pages should not share connection, but same page should (spec says?)
  • how is the URI in the constructor validated (ie check it's not a chrome URI or some other funky kind of URI) ?
  • how does CSP factor into EventSource usage ?
    • it's currently type script, but should probably be changed to type XHR (or its own type)
  • If you're on an HTTPS page and the event source references HTTP URL, does the mixed content UI get triggered (hide secure badging for the page)?
    • Not an issue for same-origin, but for CORS support needs to be considered.
    • Do we want to consider https-using-http to be "mixed display" (allowed) or "mixed scripting" (blocked) when we adopt this distinction from chromium? (how about equivalent to XHR -- then we can deal with them together -- probably "mixed scripting")
  • can file:// urls construct an EventSource object ? (MIME type should stop this, since the local file won't have the magic text/eventsource MIME type)
    • FF aborts with "Firefox can't establish a connection to server at ..."
  • interaction with bfcache?
    • frozen document gets its connections closed. thawed document gets reconnected.

Threat Brainstorming

Server attacking client

  • DoS by opening a bunch of connections, maxing out our limits
    • differs from XMLHttpRequest because it is expected to be long-lived (but same risk as multiple long-lived XHRs)
    • maybe we should have a per-tab limit so a single tab can't eat your networking limits
  • the spec specifies the event stream format and how to parse it - possible input validation threat here. how complex is the parser? should it get fuzzing and/or extra review?
    • The current spec offers 5 commands incl. the comment command ":". The syntax for each command is: "command_name: data EOL". Current fuzz tests showed no results 07/02/11.
  • Does this allow events to be fired (at web pages) at times when it would be unusual for events to fire?
  • Do we have tests to ensure we don't crash/deadlock/leak if a script responds to receiving an event by:
    • closing the tab
    • closing the window
    • closing the socket
  • Server could find out whether GC happened by seeing whether a thawed document has an EventSource reconnection

Server attacking other server

  • If you've already XSSed a site, could EventSource let you do things you weren't previously able to accomplish? (CORS doesn't help here.)
    • Site must opt in with MIME type and CORS

MITM attacks

  • At EOF, does that cause a partial message to be delivered to script? Spec issue!!!

Data attacking server & client

  • [dveditz] Data validation / sanitization of ID, which browser re-sends to server upon reconnection
  • What happens if there's a nul byte? (particularly when data is handled in C code)
  • Data contains line break, causing client to think there's a separate message
    • Does every participant agree on which characters constitute line breaks?
      • Spec is clear: \n \r or combinations thereof.

Conclusions / Action Items

  • [Olli] Test for HTTPS support
    • Test should ensure that invalid cert is a silent-to-the-user error
  • [Olli] Test (with CORS support) if HTTP event listener on HTTPS page causes mixed-mode UI
  • [Olli] File bug to change nsIContentPolicy content load type from SCRIPT to something like XHR 667490
  • [cdiehl?] fuzz the protocol
  • [dveditz] bug: Spec problems. (EOF partial messages)