W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Sat, 05 Apr 2008 01:33:33 +0200
Message-ID: <47F6BACD.1040609@students.cs.uu.nl>
To: "Close, Tyler J." <tyler.close@hp.com>
CC: Maciej Stachowiak <mjs@apple.com>, Jonas Sicking <jonas@sicking.cc>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
Close, Tyler J. schreef:
> I've written several messages to the appformats mailing list. I suggest reading all of them. The most detailed description of the attacks are in the message at:
>
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B6507@G6W0269.americas.hpqcorp.net
>
> with a correction at:
>
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B650D@G6W0269.americas.hpqcorp.net

You do realise that with XDR, ‘resource host’ has no means to 
authenticate the user using (relatively secure) HTTP digest authentication?

In order to acquire the desired functionality (for which it needs the 
user’s credentials), with XDR the resource host will most likely end up 
passing the authentication information along in the GET query string 
(bad), probably requiring the user to fill in his credentials on the 
origin site (bad), and sending the user’s password plain over the wire 
(bad).

I think the history of HTML has taught us that if people want to do 
something (e.g. styling), and you do not provide the means, they will 
abuse other mechanisms (tables) to achieve their goals. I can assure you 
people will work around the limitations of XDR in the same manner. The 
least we can do is provide a mechanism that lets the user do what he 
wants, yet is easy to control and secure.

That is the big problem with XDR’s restrictions. Well, aside from its 
breaking of REST by disallowing PUT and DELETE and setting the 
Content-Type and Accept-* headers, while favouring SOAP (which DOES have 
the ability to delete() and authenticate) and encouraging content 
sniffing. I hope you can see why I don’t share your enthusiasm for 
Microsoft’s proposal :).

~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.




Received on Friday, 4 April 2008 23:34:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 April 2008 23:34:17 GMT