W3C home > Mailing lists > Public > public-cdf@w3.org > January 2006

CDR: description of current web security model has problems

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 2 Jan 2006 02:00:00 -0800
Message-Id: <CBD13088-E959-4A11-A95B-CCF319CCF4D1@apple.com>
To: public-cdf@w3.org


2.5.3

"Currently, the common approach used is to restrict access across  
documents or network interfaces to material which comes from the same  
source as the code which tries to make that access."

- This sentence is not grammatically correct English.

- The claim made by the sentence is not correct. Access is based on  
the domain (and protocol and port) of the documents in the context of  
which the code is executing. It ignores where the code comes from, if  
the document happened to include code, such as JavaScript, from a  
site other than that which the document came from.

"This makes it difficult to re-use resources on the Web, by requiring  
a copy to be held in the domain of each application which uses that
resource."

- I don't see how this is true. JavaScript files, CSS files, images  
and html files can all be included from other sites. The difficulty  
only occurs when you wish to read the contents of such documents.  
There is no client-side technology that two sites could use to  
collaborate.

"This breaks cacheability, potentially reduces maintainability, and  
requires services to maintain the entire service rather than taking  
full advantage of specialised third-party providers."

- I'm not buying these claims but ok - does this spec propose doing  
anything different in this regard? Does it propose that access to  
different documents *not* be restricted based on domain/scheme/port  
as traditionally?


Regards,
Maciej
Received on Monday, 2 January 2006 10:37:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:40 GMT