Re: CDR: Security exceptions and events from Kevin E Kelly on 2006-03-08 (public-cdf@w3.org from March 2006)

From: Kevin E Kelly <kekelly@us.ibm.com>
Date: Wed, 8 Mar 2006 08:41:39 -0500
To: Maciej Stachowiak <mjs@apple.com>, public-cdf@w3.org
Message-ID: <OF1E024C68.6948BF12-ON8525712B.004A57B9-8525712B.004AF326@us.ibm.com>

Maceij,

Please find the responses below marked with [KEK],   Both comments were 
accepted and implemented.

Please let us know, within 2 weeks, if this change does not address your 
comments. 

Kevin 
On behalf of the CDF WG 

Action 348: Respond to comments 7+8 
http://www.w3.org/2004/CDF/Group/track/actions/348
Message 7 http://lists.w3.org/Archives/Public/public-cdf/2006Jan/0007.html






Maciej Stachowiak <mjs@apple.com> 
Sent by: public-cdf-request@w3.org
01/02/2006 04:36 AM

To
public-cdf@w3.org
cc

Subject
CDR: Security exceptions and events








Section 2.1.2

"Accessing the parent document through the DOM can be disabled for
security reasons. In such cases user agents should throw a
SecurityException as defined in section 2.1.4."

Section 2.1.3

"Accessing the child document through the DOM can be disabled for
security reasons. In such cases user agents should throw a
SecurityException as defined in section 2.1.4."

Section 2.1.4 SecurityException

- I strongly recommend against security exceptions. The 
generallyaccepted best security practices are silent failure when an 
attempted intrusion is detected. Otherwise the attacker may gain 
useful information. Therefore it would be best to just return nil in 
cases where access is disabled for security reasons, and to remove 
the exception. This also matches de facto behavior of similar 
features in existing UAs (window.frameElement for instance, which 
just returns nil rather than throwing an exception).

[KEK] Section 2.1.2, 2.1.3, 2.1.4 have been removed in favor of existing 
mechanisms only for event propogation in compound documents by refernece.

Section 2.2.2

"When a document breaks through the user agent security policy, user 
agents are encouraged to dispatch a security event in the http:// 
www.w3.org/2005/10/cdf namespace on the document object."

- Surely this should say "attempts to break through the user agent 
security policy".

- Which document object? The parent? The child? The document 
attempting to violate policy? The document that is the target of the 
attempted violation? Please clarify this in the specification.

- Security events are a bad idea for the same reason as security 
exceptions. I recommend removing them from the spec.

[KEK] Section 2.2 has been removed.

Received on Wednesday, 8 March 2006 13:38:46 UTC