- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 26 Jun 2008 09:35:58 -0700
- To: Sunava Dutta <sunavad@windows.microsoft.com>
- Cc: Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Arthur Barstow <art.barstow@nokia.com>, Marc Silbey <marcsil@windows.microsoft.com>, public-webapps <public-webapps@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, "Mark Shlimovich (SWI)" <marksh@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Michael Champion <Michael.Champion@microsoft.com>
Sunava Dutta wrote: >> Zhenbin Xu wrote: >>> I want to re-emphasize that XDR is targeting cross-domain access of >>> public data only. One can already access those public data on the >>> server anonymously. XDR allows this to be done from within the >>> browser rather than through server side proxy or custom applications. >>> The custom header is simply additional measure to allow server >>> explicitly opt-in. >> What do you mean by "additional" here? In addition to what? >> >>> CS-XHR, on the other hand, appears to be trying to handle cross- >> domain >>> access of private data. I don't know if the private data is meant to >>> be something similar to personal photo album or someone's private >> bank >>> account information. I would assume they have different security >>> requirements. I don't have a clear picture how banks can utilize >>> CS-XHR to handle their private data. Trying to provide a general >>> solution here is bound to have a lot of pitfalls. >> I think some people are as concerned about their personal photo album >> as >> they are about their bank account, so i'm not sure there is a big >> difference between the two. But I do agree that some parts of personal >> data is likely to have different security requirements than other >> parts. >> >> I don't know how the banking people will feel about CS-XHR. It should >> be >> as safe as any other HTTP/HTTPS transaction and banks seem happy to >> send >> banking data using those protocols.[Sunava Dutta] > > > [Sunava Dutta] As Zhenbin points out on a parallel thread and I > mention in my whitepaper, the ACL's is visible on the client. This is > unnecessary information disclosure. If this is a problem even despite the fact that sending the ACL to the client is optional, then we should look into that. I can't personally see any problems with this for educated websites such as banking sites, but if you can then please let us know. > Do we know whether the Banking > scenario falls under CS-XHR's use case? This is fundamentally a > different scenario from information disclosure as compared to the > personal photo album. I wouldn't case if my AC is on the client for my > Flickr slides. I think it would be good if banks could use this yes. But it's not listed as a requirement in the spec so even if it's not possible I would be fine with that. It all depends on what extra requirements banks would have. If the changes are too severe and would make it harder for other types of sites to use the spec then I would say that we should not support banks. If only small changes are needed to the spec then I think it would be very reasonable to make those changes. I do personally not know what requirements banks have, if you have information on this I would be very interested to hear. Do you for example know if postMessage, which was designed to allow transfer of private data and is available in IE8, is safe enough for bank sites? > I couldn't find anything in the AC spec that elaborates on this. Do > you have a pointer to where this is documented in case I've missed > this? The requirements for the spec are available here: http://dev.w3.org/2006/waf/access-control/#requirements This doesn't list bank sites so I would say they are not a strict requirement. But if we can cater to them while still keepting with the rest of the requirements then that sounds like a win for the spec. / Jonas
Received on Thursday, 26 June 2008 16:37:32 UTC