W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Semi-public resources in Uniform Messaging

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 9 Dec 2009 09:39:27 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0912090933580.16061@hixie.dreamhostps.com>
On Tue, 8 Dec 2009, Tyler Close wrote:
> 
> I assume you want to move on to the XHR-like example, so I've just got a 
> few clarification questions about it...

The examples are equivalent as far as I can tell. Both are important; for 
me, the <video> one is more important since I'm editing the spec that will 
need to define how to work with <video>.


> On Tue, Dec 8, 2009 at 11:18 AM, Ian Hickson <ian@hixie.ch> wrote:
> > http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html
> >
> > To recast the question in terms of XMLHttpRequest, how would one label a
> > static resource on an intranet server, e.g.:
> >
> >   http://marketing.corp.example.com/productcodes.xml
> >
> > ...such that it can be read (using XMLHttpRequest) by scripts embedded on
> > pages from the following hosts:
> >
> >   http://www.corp.example.com/
> >   http://finance.corp.example.com/
> >   http://eng.corp.example.com/
> >   http://intranet.example.com/
> >
> > ...but such that it could _not_ be read by pages from the following hosts
> > (i.e. the HTTP response would not be made accessible to scripts on pages
> > from these hosts):
> >
> >   http://hostile-blog.example.com/
> >   http://www.hostile.example/
> 
> Are you saying a firewall prevents the author of the attack pages from 
> directing his own browser to any of the legitimate pages that have 
> access to the data?

I don't think the firewall situation is really relevant, but for the sake 
of argument, let's say that the user is inside the fireall (or on VPN), 
and that *.corp.example.com are only accessible inside the firewall, and 
that intranet.example.com is accessible outside but only through TLS and 
with strong client authentication, and that hostile-blog.example.com and 
www.hostile.example are accessible outside without authentication.



> So, all the resources with access to the secret data are hosted by 
> servers behind a firewall; and all the attackers are outside the 
> firewall?

No.


> Furthermore, all the resources with access to the secret data are 
> trusted to not send the secret data to the attacker?

Yes, the resources who should be able to read the secret data are trusted 
not to send the data to untrusted third parties.


> It also seems that any resource hosted behind the firewall also has 
> access to the secret data, since it can just send a request 
> server-to-server, instead of server-to-browser-to-server. True?

In this example, yes, the resource on marketing.corp.example.com is not 
protected from direct access in any way other than via the firewall.

A more realistic example would probably have the resource protected from 
direct access by cookie-based authentication, but for the time being I 
think it's simpler to focus on the example without _user_ authentication 
being present also.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 December 2009 09:39:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT