- From: Sunava Dutta <sunavad@windows.microsoft.com>
- Date: Wed, 25 Jun 2008 19:28:36 -0700
- To: Jonas Sicking <jonas@sicking.cc>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>
- CC: Arthur Barstow <art.barstow@nokia.com>, Marc Silbey <marcsil@windows.microsoft.com>, public-webapps <public-webapps@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, "Mark Shlimovich (SWI)" <marksh@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Michael Champion <Michael.Champion@microsoft.com>
> Zhenbin Xu wrote: > > I want to re-emphasize that XDR is targeting cross-domain access of > > public data only. One can already access those public data on the > > server anonymously. XDR allows this to be done from within the > > browser rather than through server side proxy or custom applications. > > The custom header is simply additional measure to allow server > > explicitly opt-in. > > What do you mean by "additional" here? In addition to what? > > > CS-XHR, on the other hand, appears to be trying to handle cross- > domain > > access of private data. I don't know if the private data is meant to > > be something similar to personal photo album or someone's private > bank > > account information. I would assume they have different security > > requirements. I don't have a clear picture how banks can utilize > > CS-XHR to handle their private data. Trying to provide a general > > solution here is bound to have a lot of pitfalls. > > I think some people are as concerned about their personal photo album > as > they are about their bank account, so i'm not sure there is a big > difference between the two. But I do agree that some parts of personal > data is likely to have different security requirements than other > parts. > > I don't know how the banking people will feel about CS-XHR. It should > be > as safe as any other HTTP/HTTPS transaction and banks seem happy to > send > banking data using those protocols.[Sunava Dutta] [Sunava Dutta] As Zhenbin points out on a parallel thread and I mention in my whitepaper, the ACL's is visible on the client. This is unnecessary information disclosure. Do we know whether the Banking scenario falls under CS-XHR's use case? This is fundamentally a different scenario from information disclosure as compared to the personal photo album. I wouldn't case if my AC is on the client for my Flickr slides. I couldn't find anything in the AC spec that elaborates on this. Do you have a pointer to where this is documented in case I've missed this? Below is the comprehensive set of use cases that I did manage to retrieve and they seem to be a subset of the ones I identified in my security whitepaper. They're not very helpful as they are very high level and very limited. I'm sure AC is designed to do more than this and is designed with a strong set of use cases in mind which exists today somewhere public? I'm using the editors draft... "If a server foo.example.org implements a simple REST API to create, delete and modify resources Access Control could be used to let a nice editing application on server editing.example store the results of the editing actions on foo.example.org. An XBL binding allows full access to the document it is bound to and therefore cross-site XBL usage is prevented. Access Control enables cross-site XBL bindings. If the user is authenticated with the server that hosts the XBL widget it is possible to have a user-specific cross-site bindings. To prevent data theft, from e.g. intranets, cross-site XSLT usage is not possible. With Access Control several domains are able to share XSLT resources in a cross-site fashion. If you have a Web application that fetches resources (e.g. RDF) from around the Web to extract data out of them Access Control could be used to fetch them using a single request if the resource enables cross-site access."
Received on Thursday, 26 June 2008 02:29:56 UTC