Re: [AC] URI canonicalization problem with Access-Control-Policy-Path from Bjoern Hoehrmann on 2008-05-16 (public-appformats@w3.org from May 2008)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 16 May 2008 03:53:06 +0200
To: Jon Ferraiolo <jferrai@us.ibm.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <6jpp24descbuq4g89r0fqaup0uumoptcbd@hive.bjoern.hoehrmann.de>

* Jon Ferraiolo wrote:
>I didn't understand your logic with the spammer metaphor where the browser
>is the spammer sending unwanted initial requests to the server. A request
>goes to the server no matter whether we are talking about AC/XHR,
>JSONRequest or XDR. With AC/XHR, the browser sends a request (the spam) and
>the response comes back with either Access-Control header or (for XML) an
>Access-Control PI. With JSONRequest, the response is either an error or
>comes back with a Content-Type:application/jsonrequest header. With XDR,
>similar, except with a XDomainRequestAllowed:1. What am I missing?

XHR2+AC asks the server whether it is prepared to handle cross site re-
quests for a particular resource, XDR and JSONRequest never ask and just
assume the server is prepared to handle their requests. This thread in
fact started with you saying "The client should just make cross-domain
requests". Opting into receiving cross domain requests is critical, that
XDR and JSONRequest don't do this is justified, if at all, only by their
many limitations.

>But cookies are just one small part of a bigger picture. My opinion is that
>it would be better to start off with an approach that is based on something
>like JSONRequest or XDR where policy management (i.e., allow/deny logic)
>happens on the server rather than the client, and where the starting point
>for discussion is a proposal that has been designed with security in mind
>from the beginning. ***THEN*** make adjustments to improve from this secure
>foundation to offer more flexibility and possibly even better security
>characteristics. For example, start with JSONRequest and transform it into
>something that include XML support, or start with XDR and transform it into
>something that offers an option to go beyond just GET and POST and allows
>for secure transmission of user credentials.

Neither XDR nor JSONRequest offer a foundation that could reasonably be
extended this way. A heavy tank may be very solid, stable, secure, but
if you really need an aeroplane, you will have a hard time adding wings
to the tank and make it fly.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Friday, 16 May 2008 01:53:46 UTC