Re: Reporting of CORS error in the XHR API callbacks from Ian Hickson on 2012-01-20 (public-webapps@w3.org from January to March 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 20 Jan 2012 19:32:33 +0000 (UTC)
To: Tim Berners-Lee <timbl@w3.org>
cc: public-webapps@w3.org, Thomas Roessler <tlr@w3.org>, "Michael(tm) Smith" <mike@w3.org>
Message-ID: <Pine.LNX.4.64.1201201926330.2081@ps20323.dreamhostps.com>

On Fri, 20 Jan 2012, Tim Berners-Lee wrote:
>
> Reading
> 
> http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#network-error
> 
> it isn't obvious to me how the fact that a cross-site-scripting 
> violation has occurred.  The CORS spec
> 
> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request-status
> 
> suggests the error should be treated like a network error

That is correct.

> but IMHO it is really important for the code using the XHR to be able 
> simply and unambiguously to know when the CORS 
> cross-origin-request-status is the problem, as opposed to any other 
> network error.

That would be a security flaw. It would allow hostile sites to scan victim 
sites behind firewalls for CORS-protected content.

> (It is also important that this can be passed on the to a user, so when 
> the user is on the phone with customer support, the latter can 
> understand what has happened).

It can be passed to the user directly from the browser without the script 
being informed (and typically is, e.g. Firefox shows it in the Web 
console).

> There of course places where XHR is used and there is no 
> cross-sitescripting security needed
> 
> 1)  in a browser extension
> 2)  in node.js code trusted apps 

These aren't the Web, so they're probably out of scope of the CORS and XHR 
specs, but Anne can comment if he disagrees. :-)

> 3)  in web apps when web apps can, in I hope the near future, be 
> installed, and flagged as trusted code

Personally I think the idea of "installing" a Web app is anathema. The 
best thing about Web apps is that the browser can be trusted such that 
even the most hostile app can't do anything bad. If we start allowing 
users to install apps, we'll just change the security model of the Web 
from "you can't do anything bad without an implicit permission gesture 
from the user" to "all you have to do is convince the user to install you 
and then you can own them". Basically, moving us from the Web's security 
model today, a fantastic and successful security model that has withstood 
a decade or more of sustained attack, to the Windows security model.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 20 January 2012 19:33:07 UTC