3
edits
Changes
→Security worries
* I don't see an adequate threat model described here -- what are the kinds of activities that a potential attacker might use this channel to do, and what are some ways to prevent this? For example, how will cross site XHR be used in conjunction with cross site scripting attacks?
** Good point. We should create a real threat model.
* My main concern are the statements as: "make it impossible to distinguish between a access-control-failed error and network errors such as 404s."
** How will we be able to eliminate timing attacks? There are 4 events which might abort an cross domain XHR req:
*** Namelookup failed (hostname does not exist or is offline)
*** Real 404
*** rejection based upon Content-Access-Control header
*** Rejection based upon XML <?access-control?> tag
An attacker can check the time it takes before a request is rejected and based upon this conclude whether a certain server is running (inside a corporate firewall)
----
Threads/risks:
* Functional attacks
** DDOS : Most requests could already be done with img tags etc. Crafting post requests becomes easier(better control over post data)
** Messes up soap: Should be researched/tested
** XSS/CSRF: If website A.com is vulnerable to an XSS exploit, then all the data of all other domains having accepted *.A.com is suddenly vulnerable
* Implementation attacks
** premature loading of data (fixed by the inner nsIStreamListener)
** side channel attacks (e.g. timing, computational load, measuring network speed/usage)
