W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: Design issues for access-control

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 05 Nov 2007 10:28:46 -0500
To: "Thomas Roessler" <tlr@w3.org>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t1brx8bp64w2qv@annevk-t60.oslo.opera.com>

On Mon, 05 Nov 2007 10:22:15 -0500, Thomas Roessler <tlr@w3.org> wrote:
> There are two points here:
>
> 1. There is a design decision at least in Xforms to enable
> cross-site POST with XML content.
>
> [2]. You are "vulnerable" to a cross-site POST if your *user* has
> xforms support active.  If you deploy a web application (or Web
> Service) that is vulnerable to cross-site POST with an XML content
> type, you probably have a problem.
>
> Together, these suggest to me that trying to avoid specifically XML
> content in unattended cross-site POST requests (if they are caused
> by XHR) is an exercise that's not worth the effort.

Given that XForms isn't widely deployed at all I'm not sure we should  
simply declare cross-site POST with more capabilities than <form> POST  
safe. Also, we're trying to address more than POST and GET.


>>>> <form> POST is not relevant to the discussion at hand.
>>>> XMLHttpRequest POST follows the model with Method-Check, etc.
>>>
>>> You're not answering my question.
>>
>> I don't understand it then, I suppose.
>
> Key words: "from the perspective of the site that needs to handle
> these requests"

You already said that. I'm not sure how you think that helps.


>>> There is a difference between deploying a web application and
>>> deploying a different HTTP stack.
>
>> Well yes, some changes have to be made in order to support this.
>> This is not that complicated though with typical server-side
>> languages.
>
> We seemed to have a goal to do it all without server changes at some
> point. Seems that has been lost.

At some point this draft only addressed the GET case. We then merged the  
XMLHttpRequest Level 2 proposal for non-GET cases into this draft.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 5 November 2007 15:28:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC