- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 9 Dec 2009 09:39:27 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
- Message-ID: <Pine.LNX.4.62.0912090933580.16061@hixie.dreamhostps.com>
On Tue, 8 Dec 2009, Tyler Close wrote: > > I assume you want to move on to the XHR-like example, so I've just got a > few clarification questions about it... The examples are equivalent as far as I can tell. Both are important; for me, the <video> one is more important since I'm editing the spec that will need to define how to work with <video>. > On Tue, Dec 8, 2009 at 11:18 AM, Ian Hickson <ian@hixie.ch> wrote: > > http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html > > > > To recast the question in terms of XMLHttpRequest, how would one label a > > static resource on an intranet server, e.g.: > > > > http://marketing.corp.example.com/productcodes.xml > > > > ...such that it can be read (using XMLHttpRequest) by scripts embedded on > > pages from the following hosts: > > > > http://www.corp.example.com/ > > http://finance.corp.example.com/ > > http://eng.corp.example.com/ > > http://intranet.example.com/ > > > > ...but such that it could _not_ be read by pages from the following hosts > > (i.e. the HTTP response would not be made accessible to scripts on pages > > from these hosts): > > > > http://hostile-blog.example.com/ > > http://www.hostile.example/ > > Are you saying a firewall prevents the author of the attack pages from > directing his own browser to any of the legitimate pages that have > access to the data? I don't think the firewall situation is really relevant, but for the sake of argument, let's say that the user is inside the fireall (or on VPN), and that *.corp.example.com are only accessible inside the firewall, and that intranet.example.com is accessible outside but only through TLS and with strong client authentication, and that hostile-blog.example.com and www.hostile.example are accessible outside without authentication. > So, all the resources with access to the secret data are hosted by > servers behind a firewall; and all the attackers are outside the > firewall? No. > Furthermore, all the resources with access to the secret data are > trusted to not send the secret data to the attacker? Yes, the resources who should be able to read the secret data are trusted not to send the data to untrusted third parties. > It also seems that any resource hosted behind the firewall also has > access to the secret data, since it can just send a request > server-to-server, instead of server-to-browser-to-server. True? In this example, yes, the resource on marketing.corp.example.com is not protected from direct access in any way other than via the firewall. A more realistic example would probably have the resource protected from direct access by cookie-based authentication, but for the time being I think it's simpler to focus on the example without _user_ authentication being present also. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 December 2009 09:39:59 UTC