RE: comments on access control for cross-site requests - WSC member from Doyle, Bill on 2007-12-18 (public-appformats@w3.org from December 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 18 Dec 2007 15:09:13 -0500
To: "Anne van Kesteren" <annevk@opera.com>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801CBA33B@IMCSRV5.MITRE.ORG>

Anne,

Please address notes - lines start with ##

Regards

Bill Doyle
wdoyle@mitre.org

-----Original Message-----
From: Anne van Kesteren [mailto:annevk@opera.com] 
Sent: Tuesday, December 18, 2007 2:15 PM
To: Doyle, Bill; Jonas Sicking; WAF WG (public)
Subject: Re: comments on access control for cross-site requests - WSC
member

On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <wdoyle@mitre.org>
wrote:
> Not sure how the web server protects itself - "site should be
protected
> from any other requests until it grants access"

## Sorry I was not clear. The Web Server needs to be able to control
its IA boundary. In your description and reply the client provides the
protection.

Per the current policy in place the Web server FOO.COM is protected by
the  
client not allowing a site on BAR.COM to retrieve information from  
FOO.COM. A site on BAR.COM can already issue a GET request to FOO.COM  
using <img>, <script>, etc. This same GET request is used to allow  
cross-site exchange of information through an opt-in policy as defined
by  
the draft.

> I understand that the 3rd party can restrict access. The requirement
is
> for the web server to have a mechanism (i.e. configuration setting or
> other type of control) that allows or disallows access control for
> cross-site requests and the web server has the ability to restrict
3rd
> party access to settings that are controlled by the web server.

What exactly makes you think this is not possible?

## Please explain how this is possible.

> Issue is that the web server owner looses Information Assurance (IA)
> control, this is an issue for my customers. IA control cannot be
handed
> over to a 3rd party. For my customers, the web server owners need to
> manage the IA settings.

Do you have a more concrete scenario that illustrates this? I'm not
sure I  
follow.

## Draft notes that the client becomes the Policy Decision Point, the
IA boundary of the server is extended to include the client.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 18 December 2007 20:09:45 UTC