canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/Firefox6/ReviewNotes/ServerDomEvents: Difference between revisions
Security/Reviews/Firefox6/ReviewNotes/ServerDomEvents (view source)
Revision as of 19:01, 27 June 2011
, 27 June 2011no edit summary
No edit summary |
No edit summary |
||
| Line 39: | Line 39: | ||
== Threat Brainstorming == | == Threat Brainstorming == | ||
=== Server attacking client === | === Server attacking client === | ||
* DoS by opening a bunch of connections, maxing out our limits | * DoS by opening a bunch of connections, maxing out our limits | ||
| Line 54: | Line 55: | ||
** Given http://dev.w3.org/html5/eventsource/#garbage-collection perhaps the solution is to reconnect iff there are onmessage listeners (which can be determined without running a GC) | ** Given http://dev.w3.org/html5/eventsource/#garbage-collection perhaps the solution is to reconnect iff there are onmessage listeners (which can be determined without running a GC) | ||
** We already have bugs with expandos and objects falling out of wrapper cache, fwiw | ** We already have bugs with expandos and objects falling out of wrapper cache, fwiw | ||
=== Server attacking other server === | === Server attacking other server === | ||
* If you've already XSSed a site, could EventSource let you do things you weren't previously able to accomplish? (CORS doesn't help here.) | * If you've already XSSed a site, could EventSource let you do things you weren't previously able to accomplish? (CORS doesn't help here.) | ||
** Site must opt in with MIME type and CORS | ** Site must opt in with MIME type and CORS | ||
=== MITM attacks === | === MITM attacks === | ||
* At EOF, does that cause a partial message to be delivered to script? Spec issue!!! | * At EOF, does that cause a partial message to be delivered to script? Spec issue!!! | ||
=== Data attacking server & client === | === Data attacking server & client === | ||
* [dveditz] Data validation / sanitization of ID, which browser re-sends to server upon reconnection | * [dveditz] Data validation / sanitization of ID, which browser re-sends to server upon reconnection | ||
| Line 65: | Line 69: | ||
** Does every participant agree on which characters constitute line breaks? | ** Does every participant agree on which characters constitute line breaks? | ||
*** Spec is clear: \n \r or combinations thereof. | *** Spec is clear: \n \r or combinations thereof. | ||
== Conclusions / Action Items | |||
== Conclusions / Action Items == | |||
* [Olli] Test for HTTPS support | * [Olli] Test for HTTPS support | ||
** Test should ensure that invalid cert is a silent-to-the-user error | ** Test should ensure that invalid cert is a silent-to-the-user error | ||
* [Olli] Test (with CORS support) if HTTP event listener on HTTPS page causes mixed-mode UI | * [Olli] Test (with CORS support) if HTTP event listener on HTTPS page causes mixed-mode UI | ||
* [Olli] File bug to change nsIContentPolicy content load type from SCRIPT to something like XHR | * [Olli] File bug to change nsIContentPolicy content load type from SCRIPT to something like XHR {{nbug|667490}} | ||
* [cdiehl?] fuzz the protocol | * [cdiehl?] fuzz the protocol | ||
* [dveditz] bug: Spec problems. (EOF partial messages) | * [dveditz] bug: Spec problems. (EOF partial messages) | ||
** Filed http://www.w3.org/Bugs/Public/show_bug.cgi?id=13071 | ** Filed http://www.w3.org/Bugs/Public/show_bug.cgi?id=13071 | ||