Access control requirements from Jonas Sicking on 2008-01-17 (public-appformats@w3.org from January 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 16 Jan 2008 22:56:37 -0800
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <478EFC25.7040702@sicking.cc>

Here are the first round of requirements that I had. Looking forward to 
input.

1.
Must not require content authors or site maintainers to implement new or
additional security protections to preserve their existing level of
security protection. (Stolen from Brad Porter)

2.
Must be deployable to existing, commonly used, servers without requiring 
actions by the server administrator in a typical configuration.

3.
Must able to easily deploy support for cross site GET requests. This 
includes not having to use server side scripting (such as PHP, ASP, or 
CGI) in a typical server configuration.

4.
It should be possible to put the resource that is made available cross
site in its normal format on the server. It should be possible
to use normal development tools to interact with the resource directly
on the server. I.e. it should not be needed to repackage or reformat the 
resource just to make it possible to load from other servers.

5.
Content of any type should be possible to distribute. I.e. we should not
limit ourselves to content of a particular type.

6.
It should be possible to allow only specific servers, or sets of servers
to fetch the resource.

7.
It should be possible for the administrator of the server to disable
requests to any resource of the server. This should be easily doable on
servers currently deployed using currently existing tools.

8.
It should be possible to use resources on other servers using the same 
methods currently used to load resources. For example the following 
examples should be possible:

<?xml-stylesheet type="text/xsl" href="http://other.server/file.xsl"?>

<?xbl href="http://other.server/xbl.xml"?>

xhr = new XMLHttpRequest;
xhr.open("GET", "http://other.server/data.text");
xhr.send();

9.
It should be possible to issue methods other than GET to the server, 
such as POST and DELETE.

10.
Should be possible to use normal authentication mechanisms on the server 
where the resource is located. I.e. on an IIS server where 
authentication and session management is generally done by the server 
before ASP pages execute this should be doable also for requests coming 
from other servers. Same thing applies to PHP on apache.

/ Jonas

Received on Thursday, 17 January 2008 06:56:47 UTC