W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: Need PDF of MS' input [Was Re: Seeking earlier feedback from MS]

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 26 Jun 2008 09:35:58 -0700
Message-ID: <4863C56E.8070002@sicking.cc>
To: Sunava Dutta <sunavad@windows.microsoft.com>
Cc: Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Arthur Barstow <art.barstow@nokia.com>, Marc Silbey <marcsil@windows.microsoft.com>, public-webapps <public-webapps@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, "Mark Shlimovich (SWI)" <marksh@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Michael Champion <Michael.Champion@microsoft.com>

Sunava Dutta wrote:
>> Zhenbin Xu wrote:
>>> I want to re-emphasize that XDR is targeting cross-domain access of
>>> public data only. One can already access those public data on the
>>> server anonymously.  XDR allows this to be done from within the
>>> browser rather than through server side proxy or custom applications.
>>> The custom header is simply additional measure to allow server
>>> explicitly opt-in.
>> What do you mean by "additional" here? In addition to what?
>>
>>> CS-XHR, on the other hand, appears to be trying to handle cross-
>> domain
>>> access of private data. I don't know if the private data is meant to
>>> be something similar to personal photo album or someone's private
>> bank
>>> account information.  I would assume they have different security
>>> requirements.  I don't have a clear picture how banks can utilize
>>> CS-XHR to handle their private data.  Trying to provide a general
>>> solution here is bound to have a lot of pitfalls.
>> I think some people are as concerned about their personal photo album
>> as
>> they are about their bank account, so i'm not sure there is a big
>> difference between the two. But I do agree that some parts of personal
>> data is likely to have different security requirements than other
>> parts.
>>
>> I don't know how the banking people will feel about CS-XHR. It should
>> be
>> as safe as any other HTTP/HTTPS transaction and banks seem happy to
>> send
>> banking data using those protocols.[Sunava Dutta]
> 
> 
> [Sunava Dutta] As Zhenbin points out on a parallel thread and I
> mention in my whitepaper, the ACL's is visible on the client. This is
> unnecessary information disclosure.

If this is a problem even despite the fact that sending the ACL to the 
client is optional, then we should look into that. I can't personally 
see any problems with this for educated websites such as banking sites, 
but if you can then please let us know.

> Do we know whether the Banking
> scenario falls under CS-XHR's use case? This is fundamentally a
> different scenario from information disclosure as compared to the
> personal photo album. I wouldn't case if my AC is on the client for my
> Flickr slides.

I think it would be good if banks could use this yes. But it's not 
listed as a requirement in the spec so even if it's not possible I would 
be fine with that. It all depends on what extra requirements banks would 
have. If the changes are too severe and would make it harder for other 
types of sites to use the spec then I would say that we should not 
support banks. If only small changes are needed to the spec then I think 
it would be very reasonable to make those changes.

I do personally not know what requirements banks have, if you have 
information on this I would be very interested to hear. Do you for 
example know if postMessage, which was designed to allow transfer of 
private data and is available in IE8, is safe enough for bank sites?

> I couldn't find anything in the AC spec that elaborates on this. Do
> you have a pointer to where this is documented in case I've missed
> this?

The requirements for the spec are available here:
http://dev.w3.org/2006/waf/access-control/#requirements

This doesn't list bank sites so I would say they are not a strict 
requirement. But if we can cater to them while still keepting with the 
rest of the requirements then that sounds like a win for the spec.

/ Jonas
Received on Thursday, 26 June 2008 16:37:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT