- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Fri, 30 Nov 2007 10:03:46 -0800
- To: <annevk@opera.com>, public-appformats@w3.org
- Message-ID: <OFB952E7CB.ACC3D063-ON882573A3.006120BA-882573A3.006338EF@us.ibm.com>
Hi Anne,
We have had quite a bit of discussion about security implications of Access
Control at OpenAjax Alliance. However, because there are many people
involved in the discussion, it is difficult to achieve an official approved
opinion for our members. Instead, I will express my personal point of view
on the subject, where my opinions have been informed by discussion from the
OpenAjax members.
In general, I do not see any specific identifiable security problems with
the most recent specification, except in one area. My concern (shared with
other OpenAjax members) is that the wording about cookies needs to be
clearer. The specification now says:
----------------
When making a cross-site access request user agents should ensure to:
...
Not to expose any trusted data, such as cookies, HTTP header data,
inappropriately
----------------
I worry that the language can be mis-interpreted or misunderstood. What
seems "inappropriate" to you might be different than what something else
thinks. My opinion (shared with other OpenAjax members) is that we would
like to see language that is simpler and more direct, such as "cookies
SHOULD NOT be sent with cross-site requests". I haven't studied the
specification from an editorial perspective all that clearly, but maybe
something like this would work:
----------------
When making a cross-site access request user agents:
...
* SHOULD NOT transmit cookies or HTTP header data
----------------
Also:
* I expect the words "HTTP header data" might need some work since the
specification does indicate that in some cases some HTTP headers are sent.
* Although I haven't discovered any specific security problems, that
doesn't mean none exists.
Thanks for all of your hard work on this spec.
Jon
Received on Friday, 30 November 2007 18:08:27 UTC