W3C home > Mailing lists > Public > public-appformats@w3.org > July 2007

Re: XBL2: access-control doesn't "prevent" unauthorized access; general security model "vague"

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 06 Jul 2007 17:19:38 -0700
Message-ID: <468EDC1A.60404@sicking.cc>
To: "WAF WG (public)" <public-appformats@w3.org>

Thomas Roessler wrote:
> Section 8.2.2 takes a bit of a shortcut around cross-site data
> access and scripting:
> 
> | User agents should implement a security mechanism such as the
> | proposed <?access-control?> PI to prevent unauthorized
> | cross-domain access. [ACCESSCONTROL]
> 
>  -- http://www.w3.org/TR/2007/CR-xbl-20070316/#scripting
> 
> The access-control processing-instruction (or, rather, the
> specification around it) actually does not prevent unauthorized
> cross-domain access, but rather expresses access authorizations that
> extend beyond the current security model.

I agree the language is wrong, though the intent is right. It would be
better to say something like:

User agents should implement a security mechanism such as the
proposed <?access-control?> PI to allow cross-domain access to XBL
documents. [ACCESSCONTROL]

> There's similarly misleading language in section 1.5:
> 
> | Data theft: A na´ve implementation of XBL would allow any document
> | to bind to bindings defined in any other document, and (since
> | referencing a binding allows full access to that binding document's
> | DOM) thereby allow access to any remote file, including those on
> | intranet sites or on authenticated extranet sites.
> | 
> | XBL itself does not do anything to prevent this. However, it is
> | strongly suggested that an access control mechanism (such as that
> | described in [ACCESSCONTROL]) be used to prevent such cross-domain
> | accesses unless the remote site has allowed accesses.
> 
>  -- http://www.w3.org/TR/2007/CR-xbl-20070316/#security

Similarly here, the wording can be improved:

XBL itself does not do anything to prevent this. However, it is
strongly suggested that same-origin policies be used to prevent such
cross-domain accesses together with access control mechanisms (such as
that described in [ACCESSCONTROL]) to allow cross-domain access when the
remote site has allowed access.

/ Jonas
Received on Saturday, 7 July 2007 00:19:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT