W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

ACTION-52 - open() and authentication

From: Charles McCathieNevile <chaals@opera.com>
Date: Tue, 04 Apr 2006 14:02:23 +0200
To: "Web API public" <public-webapi@w3.org>
Message-ID: <op.s7hfp9k1wxe0ny@pc031.coreteam.oslo.opera.com>

Hi, trying to clear old actions.

At the face to face we discussed the question of whether open() should be  
allowed/obliged/forbidden/... to use the authentication information that  
had been provided to access a page. In summary, I think the answer is  
"Yes, subject to security restrictions that may be imposed by a browser".

The basic scenario is that http://example.com/example has some XHR request  
to http://example.com/exampleData where both of these are secured by basic  
HTTP authentication. In general, this doesn't expose any new risk,  
although there is a risk that it can be used to pass information to  
exampleData that the user would not have done.

Where the scenario becomes, for example, http://example.com/example  
passing the data to http://valid.example/dodgyScript it is clear that this  
could imply a risk.

However, the realistic scenario of logging into http://flickr.com using an  
HTTP authentication, and then wanting to access linked data at  
http://my.yahoo.com provides an obvious use case for this if the security  
risks can be deemed acceptable. That question should not be up to this  
group to decide.

Browsers may choose to block any kind of request, or to deny it access to  
or use of authentication information. Typically they do today, in the  
absence of a well-deployed trust framework, but there are some important  
exceptions.

A similar issue is faced with cookies. (warning: The following is an IETF  
URI that will just vanish at some unspecified point in time)  
http://www.ietf.org/internet-drafts/draft-pettersen-dns-cookie-validate-00.txt  
describes one approach that is used to determine security restrictions,  
but there are other possibilities.

cheers

Chaals

-- 
Charles McCathieNevile                     chaals@opera.com
   hablo español  -  je parle français  -  jeg lærer norsk
      Peek into the kitchen: http://snapshot.opera.com/
Received on Tuesday, 4 April 2006 12:02:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT