W3C home > Mailing lists > Public > public-appformats@w3.org > April 2007

Re: [AC] Access Control Algorithm

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 26 Apr 2007 09:34:41 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <20070426073441.GD1542@raktajino.does-not-exist.org>

On 2007-04-24 12:12:35 -0700, Jonas Sicking wrote:

> So this puts two requirements on the algorithm. First of all we
> can't simply merge whatever lists are in the headers with the
> lists produced by the PIs in the page. Second, we need an
> explicit way to deny access, not just exclude from the accept
> list.

I think we'd need some *very* good arguments why that is desirable.
The current algorithm is, in fact, deliberately designed *not* to
deny access in addition to what the browser's default sandbox does.

The point here is that this directive is really only enforced in the
browser. If a resource author thinks they can reliably protect
themselves from cross-site access by throwing in an additional
"deny" (and possibly make that part of their security analysis),
then that's an exercise in self-delusion: Deployment of the
access-control header or processing instruction will be far from
universal for a long time (assuming it ever even gets close to being
universal).

I don't think the spec should be designed in a way that suggests
that such a use of the access-control mechanism (maybe it should
really be called an access-grant mechanism, btw) is either safe,
reliable, or useful.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Thursday, 26 April 2007 09:14:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT