[Standards] Redirects in BOSH
Matthew A. Miller
linuxwolf at outer-planes.net
Fri Feb 25 15:26:45 UTC 2011
(NOTE: Below "we" does not mean the XMPP community as a whole; "we" means our employer)
On Feb 25, 2011, at 08:14 , Joe Hildebrand wrote:
> On 2/25/11 6:07 AM, "Peter Saint-Andre" <stpeter at stpeter.im> wrote:
>> [old thread alert!]
>> On 12/1/10 12:56 AM, Evgeniy Khramtsov wrote:
>>> Is it possible to redirect BOSH requests (probably, using 3xx+cookie or
>>> something like that)? The client should not interpret such responses as
>>> fatal, e.g. it should not drop the existing session.
>> I see no reason why not, but it's not described in the spec. Would it
>> help for us to add some examples?
> If the redirect comes from a trusted source (e.g. over HTTPS with a verified
> certificate) then this can work ok, although we've decided that the BOSH
> see-other-uri error is easier to control through XMLHTTPRequest,
> particularly when doing CORS.
> Be careful that you don't blindly accept redirects, however, or you are
> trivial to man-in-the-middle attack.
If the redirect is via HTTP 3xx+cookie, then CORS already has a solution via Access-Control-* headers. However, the XMLHttpRequest objects in browsers don't always let you know this happened. Maintaining the redirect then becomes the responsibility of the browser, which may not be desirable for BOSH (I don't think it's desirable, anyway (-: ).
If done via the "see-other-uri" BOSH error condition, then this is definitely a concern. On the plus side, the BOSH software (whether browser-based or stand-alone) knows a redirect is happening in this case, so you have a better opportunity to protect yourself at the application-level.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2238 bytes
Desc: not available
More information about the Standards