W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [cors] ACTION-11 API use cases

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 10 Feb 2009 13:06:10 +0100
To: "Sean Hogan" <shogun70@westnet.com.au>
Cc: "WebApps WG" <public-webapps@w3.org>, "Maciej Stachowiak" <mjs@apple.com>
Message-ID: <op.uo4w8kea64w2qv@annevk-t60.oslo.opera.com>

On Tue, 10 Feb 2009 13:00:35 +0100, Sean Hogan <shogun70@westnet.com.au>  
wrote:
> I don't think the presented XBL use case is valid:
>
> "An XBL binding allows full access to the document it is bound to and  
> therefore cross-origin XBL usage is prohibited. The resource sharing  
> policy enables cross-origin XBL bindings. If the user is authenticated  
> with the server that hosts the XBL widget it is possible to have a  
> user-specific cross-origin  bindings."
>
> I'm not sure whether "an XBL binding allows full access to the document  
> it is bound to" is talking about accessing the DOM of the bound-document  
> or the binding-document, but I don't think either case requires  
> access-control.
>
> I don't see where the XBL spec says that the bound-document must have  
> access to the binding-document, so I don't understand why cross-origin  
> restrictions would apply.
>
> And I don't understand why we should prohibit the XBL binding having  
> access to the bound-document. That's the whole point of XBL, and we  
> already have the same situation with <script src>. If you don't trust  
> the XBL bindings then don't reference them, just like with scripts.

That example is based on

   http://www.w3.org/TR/2007/CR-xbl-20070316/#security

and maybe some discussion with Ian regarding this. It's been a while.

Does that help?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 10 February 2009 12:06:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT