W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CORS Background slides

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 4 Nov 2009 21:01:58 -0800
Message-ID: <63df84f0911042101y2fd3e7d1i55ded0ce41a86fc7@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Tyler Close <tyler.close@gmail.com>, WebApps WG <public-webapps@w3.org>
On Wed, Nov 4, 2009 at 5:57 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> [1] To recap the DBAD discipline:
> Either:
> A) Never make a request to a site on behalf of a different site; OR
> B) Guarantee that all requests you make on behalf of a third-party site are
> syntactically different from any request you make on your own behalf.
> In this discipline, "on behalf of" does not necessary imply that the
> third-party site initiated the deputizing interaction; it may include
> requesting information from a third-party site and then constructing a
> request to a different site based on it without proper checking. (In general
> proper checking may not be possible, but making third-party requests look
> different can always be provided for by the protocol.)

One simple way of allowing websites to do B would be to provide a
GuestXHR object (I'm not exited about the name, but I won't suggest
alternatives right now in order to avoid bikeshed discussions). I.e.
if browsers provided a GuestXHR object, then sites could use that
whenever they acted as a deputy. This would be my recommendation at
this stage.

This would also allow sites to choose between two security models, one
based on principal information being added to the request, one based
on secret tokens passed around.

The requirements on the GuestXHR object would be:
1. Never include any information identifying either the user or the
site making the request. I.e. no Origin, referrer, cookies, http-auth,
client side certs, etc.
2. If the request is cross site, the target site has to opt in to
allowing the result to be returned to the requester. This is in order
to protect data behind firewalls.

/ Jonas
Received on Thursday, 5 November 2009 05:02:53 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC