w3c / webappsec-cowl

WebAppSec Confinement Origin Web Labels
https://w3c.github.io/webappsec-cowl/
Other
11 stars 10 forks source link

Fix receiving labeled objects in XHR extension #57

Open NAndreasson opened 8 years ago

NAndreasson commented 8 years ago

As it is, one could choose a different responseType than "labeled-json", to access the received data, even if the server operator has set the Content-Type of the response to be equal application/labeled-json. So essentially it is possible to set the responseType to json to receive the response as json instead, and thus bypass the confinement that we want after inspecting the response.

We probably want to make sure that response is null in the case of Content-Type: application/labeled-json and xhr.responseType != labeled-json.

http://w3c.github.io/webappsec-cowl/#receive-labeled-object

Example

Server operator

Content-Type: application/labeled-json;

{
  "confidentiality": "'self'",
  "integrity": "'self'",
  "object": ... JSON object ...
}

Developer

var req = new XMLHttpRequest();
req.responseType = 'json'; // instead of labeled-json
req.addEventListener("load", function () {
  console.log('got ' + this.response); // want to return null
});
req.open("GET", "<url>");
req.send();

Could probably be accessed via xhr.responseText as well.

+@deian

deian commented 8 years ago

This is very much related to #56 ; we should do the same thing for this and fetch API.

deian commented 8 years ago

@annevk do you have any thoughts on how to most easily (or least intrusively) do this (at least for fetch)? We need to make sure that a labeled-json response cannot be marshalled as anything but that.

annevk commented 8 years ago

I don't think we should be extending XMLHttpRequest. I'll reply in the other issue for fetch().