I’ve only spent an hour or two now with the IE 8 beta, not really enough time to get a real impression of it (there seems to be some nice GUI functionality changes, not much to say on the “standards” compliance yet).  I was happy to see that the new cross domain version of XMLHttpRequest (XDomainRequest) doesn’t send cookies.  When MS first hinted at this feature I was pretty wary.  There is already an XSS method to steal cookies even when HttpOnly is set on the cookie, you essentially make an XMLHttpRequest to the site and read the response headers, but the limitation of this is that you really need to embed this on a web page hosted on the same domain as the source you are making the XMLHttpRequest to (since XMLHttpRequest doesn’t really function all that well across domains).

My concern with cross domain requests was that it would be possible for random attacker Bob (in my world Bob is the generic nefarious individual, much to the consternation of Melinda Gates) to use this same sort of attack, but embedded on completely unrelated webpages.  Cursory examination seems to suggest it won’t be that easy.  There actually seems to be some sort of negotiation necessary just to receive any content.  I’m waiting to see the official MS documentation so I have a better idea what I am doing with the API (more specifically, so I know enough to then try and break the safeguards, because I would rather report a break now and get MS to fix it before they exit beta).  It seems someone else has the same idea, which is good.  I could see a lot of room for abuse if a flaw is found in this scheme so hopefully the security community will do a good job pounding on this functionality before release.

~ Joshbw

UPDATE: for those who want to play around with IE 8 but don’t want to overwrite IE 7 (or 6… please upgrade if you are on 6), MS has free virtual PC images available that already include IE 8. Virtual PC 2007 is needed to run them, but it is also available as a free download and completely rocks as a workstation VM.