W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [cors] ACTION-11 API use cases

From: Sean Hogan <shogun70@westnet.com.au>
Date: Wed, 11 Feb 2009 15:42:02 +1100
Message-ID: <4992571A.9000402@westnet.com.au>
To: Anne van Kesteren <annevk@opera.com>
CC: WebApps WG <public-webapps@w3.org>, Maciej Stachowiak <mjs@apple.com>

Anne van Kesteren wrote:
> On Tue, 10 Feb 2009 13:00:35 +0100, Sean Hogan 
> <shogun70@westnet.com.au> wrote:
>> I don't think the presented XBL use case is valid:
>>
>> "An XBL binding allows full access to the document it is bound to and 
>> therefore cross-origin XBL usage is prohibited. The resource sharing 
>> policy enables cross-origin XBL bindings. If the user is 
>> authenticated with the server that hosts the XBL widget it is 
>> possible to have a user-specific cross-origin  bindings."
>>
>> I'm not sure whether "an XBL binding allows full access to the 
>> document it is bound to" is talking about accessing the DOM of the 
>> bound-document or the binding-document, but I don't think either case 
>> requires access-control.
>>
>> I don't see where the XBL spec says that the bound-document must have 
>> access to the binding-document, so I don't understand why 
>> cross-origin restrictions would apply.
>>
>> And I don't understand why we should prohibit the XBL binding having 
>> access to the bound-document. That's the whole point of XBL, and we 
>> already have the same situation with <script src>. If you don't trust 
>> the XBL bindings then don't reference them, just like with scripts.
>
> That example is based on
>
>   http://www.w3.org/TR/2007/CR-xbl-20070316/#security
>
> and maybe some discussion with Ian regarding this. It's been a while.
>
> Does that help?
>
>
Ok, I can see that the use case is consistent with what is in the XBL 
spec. I prefer the following wording:

A XBL binding allows the document to which it is bound to have full 
access to the document in which it is defined; therefore cross-origin 
XBL usage is prohibited.

I disagree with the security context of a XBL document being the bound 
document, but that isn't relevant to this thread.
Received on Wednesday, 11 February 2009 04:43:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:29 GMT