0

The XMLHttpRequest spec says that attempted usage of the CONNECT method should throw a security error.

Is there a security issue with client-side JavaScript sending CONNECT requests to servers? It seems it could be somewhat useful to allow browsers to tunnel / open secure TLS sessions to destination servers through a proxy web server.

Shruggie
  • 229
  • 1
  • 10
  • But browsers use already HTTP CONNECT if a proxy is configured in the browser. What real-life use case do you imagine where the browser needs to use a specific proxy even if no or a different one was explicitly configured in the browser? – Steffen Ullrich Feb 12 '19 at 05:30
  • @SteffenUllrich Hypothetically, a company offers a better UI to view electronic medical records and offers it to a bunch of hospitals. The user can retrieve their sensitive health data from the hospital's server via SSL tunnel thru the webserver, while ensuring the webserver doesn't actually see their medical data. – Shruggie Feb 12 '19 at 05:42
  • 2
    @ben This seems like the [XY Problem](http://xyproblem.info/). What you really want is safe transport of medical records, not to call low-level connection methods in the browser from JavaScript. I can tell you for certain that there's ways to achieve what you really want, but you're a little off track. – nbering Feb 12 '19 at 05:58
  • 2
    @nbering fair - I'm not actually implementing anything like this, just toying with tunnels and am curious about why the CONNECT method isn't available to browsers, and whether there is a real security issue there – Shruggie Feb 12 '19 at 06:17
  • @ben: The example you make calls more for a general solution with a new protocol method (similar to `https://`) since it makes no sense to have this ability only with XMLHttpRequest and not for normal links etc. At the end - CONNECT is a method only used for tunneling TLS and WebSockets over a HTTP proxy and there is no reason it should be supported within XHR. – Steffen Ullrich Feb 12 '19 at 07:00
  • “The user can retrieve their sensitive health data from the hospital's server via SSL tunnel thru the webserver.” Not the case of a website, because the JavaScript loading “sensitive health data” come from the webserver. You can’t protect user if the webserver is malicious. – Franklin Yu Jun 24 '19 at 16:28

1 Answers1

3

The CONNECT method leaves the TCP connection at a different state than it originally was; unlike other HTTP request, the CONNECT method is stateful, it is always the last HTTP request that can happen on that TCP connection.

Once the CONNECT request is finished, that connection cannot be used to transfer other XMLHttpRequest, and instead are solely usable for the tunneled protocol. So the browser would have to discard the connection once the tunnel is closed.

Back when XMLHttpRequest was originally written, Javascript didn't have a Socket API (and it still doesn't now; despite the name, Websocket isn't really a true Socket API, it's more like Messaging API because it has automatic message framing and cannot be used to write arbitrary bytes to the underlying socket), so there isn't really a way to use that tunneled connection from Javascript.

Since the browser can no longer use that TCP connection for anything, and since JavaScript cannot use that connection either due to lack of Socket API and a way to reference the connection, the only valid thing that the browser can do after a CONNECT request is to close the connection.

Prohibiting CONNECT limits the scope of XMLHttpRequest API so standard authors and implementers doesn't have to deal with those issues, and XMLHttpRequest can be designed so it only need to deal with stateless requests.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93