W3C home > Mailing lists > Public > public-appformats@w3.org > February 2006

Re: <?access-control?> allows privelege escalation attacks with many embedding mechanisms

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 19 Feb 2006 18:37:27 -0800
Message-Id: <71AEF1AC-DAFF-4EB1-A9D2-F163BF7F267F@apple.com>
Cc: Brad Porter <bwporter@tellme.com>, Anne van Kesteren <annevk@opera.com>, www-voice@w3.org, public-webapi@w3.org, public-appformats@w3.org, mozilla-xbl@mozilla.org
To: Ian Hickson <ian@hixie.ch>

On Feb 19, 2006, at 6:32 PM, Ian Hickson wrote:

> On Sat, 18 Feb 2006, Maciej Stachowiak wrote:
>> I thought about this some more, and it no longer makes sense to  
>> me. If
>> off-site XBL runs in the security context of the referencing  
>> document,
>> not the XBL document, then why would <?access-control?> be useful?
> You want to prevent people from being able to use off-site XBL files
> without those files being intended for that purpose because  
> otherwise you
> would be allowed to fetch any arbitrary XML on any site (including,  
> e.g.,
> authenticated extranet or intranet sites).

OK, makes sense for this use case. Thanks for the explanation. I did  
not think of the XBL file itself as potentially being the target of  
unauthorized data access.

Received on Monday, 20 February 2006 02:38:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:04 UTC