W3C home > Mailing lists > Public > public-appformats@w3.org > August 2006

[AC] new title, abstract and introduction

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 04 Aug 2006 15:45:39 -0400
To: public-appformats@w3.org
Message-ID: <op.tdryidfh64w2qv@id-c0020.hsd1.ma.comcast.net>

They are a bit shorter than the current abstract and introduction, but I  
think they're clear enough and should address the concern raised by David  
Baron on this list[1]. (And also that from other people who did not  
explicitly raise it.)

I do think that we need to add some examples as well and perhaps a  
elaborate a bit more on the scenario that takes place (client does a  
request, gets headers back, verifies, gets a bit of the content, verifies,  
denies/allows/default), but I think we can do that after we agreed on the  
syntax and the specific way of handling HTTP headers and XML processing  
instructions (when combined).

Title: Access Control for Web Pages

Abstract: This document provides two mechanisms for a page to relax  
typical cross-site scripting restrictions on accessing it. Using either a  
HTTP header or XML processing instruction (or both) documents can indicate  
they can be accessed from domain <var>A</var>, but not from domain  
<var>B</var>, et cetera.

Introduction: Web browsers disallow a script on domain <var>A</var> to  
access content on domain <var>B</var>, because of security considerations.  
Authors resort to proxying the content through the domain hosting their  
application (<var>A</var>) thereby increasing overhead and limiting  
scalability. Access Control for Web Pages enables a way for authors to  
declare that the content on domain <var>B</var> may in fact be accessed by  
domain <var>A</var> by means of a HTTP header or XML processing  
instruction (or both).

The HTTP header and XML processing instruction are designed explicitly to  
enable extending the "sandbox" and are not meant as a restriction  
mechanism. The expectation is that the user agent's default policy is more  
strict. Therefore, it is always safe to fall-back to default policy in the  
event of an error.

XXX: Is the above paragraph correct?


Anne van Kesteren
Received on Friday, 4 August 2006 19:45:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:05 UTC