W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [cors] ACTION-11 API use cases

From: Sean Hogan <shogun70@westnet.com.au>
Date: Tue, 10 Feb 2009 23:00:35 +1100
Message-ID: <49916C63.8030208@westnet.com.au>
To: Anne van Kesteren <annevk@opera.com>
CC: WebApps WG <public-webapps@w3.org>, Maciej Stachowiak <mjs@apple.com>

I don't think the presented XBL use case is valid:

"An XBL binding allows full access to the document it is bound to and 
therefore cross-origin XBL usage is prohibited. The resource sharing 
policy enables cross-origin XBL bindings. If the user is authenticated 
with the server that hosts the XBL widget it is possible to have a 
user-specific cross-origin  bindings."

I'm not sure whether "an XBL binding allows full access to the document 
it is bound to" is talking about accessing the DOM of the bound-document 
or the binding-document, but I don't think either case requires 
access-control.

I don't see where the XBL spec says that the bound-document must have 
access to the binding-document, so I don't understand why cross-origin 
restrictions would apply.

And I don't understand why we should prohibit the XBL binding having 
access to the bound-document. That's the whole point of XBL, and we 
already have the same situation with <script src>. If you don't trust 
the XBL bindings then don't reference them, just like with scripts.





Anne van Kesteren wrote:
>
> I took a stab at ACTION-11 which is currently assigned to Maciej:
>
>   http://www.w3.org/2008/webapps/track/actions/11
>   http://dev.w3.org/2006/waf/access-control/#use-cases
>
> If this is good enough I suggest we close the action.
>
>
Received on Tuesday, 10 February 2009 12:02:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT