W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Semi-public resources in Uniform Messaging

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 8 Dec 2009 11:56:33 -0800
Message-ID: <5691356f0912081156m744ce7d8o33268b38ed0e4c84@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps@w3.org
Hi Ian,

I assume you want to move on to the XHR-like example, so I've just got
a few clarification questions about it...

On Tue, Dec 8, 2009 at 11:18 AM, Ian Hickson <ian@hixie.ch> wrote:
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html
> To recast the question in terms of XMLHttpRequest, how would one label a
> static resource on an intranet server, e.g.:
>   http://marketing.corp.example.com/productcodes.xml
> ...such that it can be read (using XMLHttpRequest) by scripts embedded on
> pages from the following hosts:
>   http://www.corp.example.com/
>   http://finance.corp.example.com/
>   http://eng.corp.example.com/
>   http://intranet.example.com/
> ...but such that it could _not_ be read by pages from the following hosts
> (i.e. the HTTP response would not be made accessible to scripts on pages
> from these hosts):
>   http://hostile-blog.example.com/
>   http://www.hostile.example/

Are you saying a firewall prevents the author of the attack pages from
directing his own browser to any of the legitimate pages that have
access to the data? So, all the resources with access to the secret
data are hosted by servers behind a firewall; and all the attackers
are outside the firewall? Furthermore, all the resources with access
to the secret data are trusted to not send the secret data to the
attacker? It also seems that any resource hosted behind the firewall
also has access to the secret data, since it can just send a request
server-to-server, instead of server-to-browser-to-server. True?


"Waterken News: Capability security on the Web"
Received on Tuesday, 8 December 2009 19:57:13 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC