W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Semi-public resources in Uniform Messaging

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 9 Dec 2009 15:43:26 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0912091532020.16061@hixie.dreamhostps.com>
On Wed, 9 Dec 2009, Tyler Close wrote:
> 
> Ok, then for this initial simpler case, the simplest UMP solution that 
> satisfies the stated security constraints is for marketing to put the 
> product codes at a URL like:
> 
> https://marketing.corp.example.com/productcodes/?s=42tjiyrvnbpoal
> 
> , where the value of the "s" query string parameter is an unguessable 
> secret.
> 
> A GET response from this URL is served with the same-origin opt-out 
> header.

Renaming files to have unguessable names seems counter to best practice 
regarding URI naming.


Ok, let's move on to a more complex case.

Consider a static resource that is protected by a cookie authentication 
mechanism. For example, a per-user static feed updated daily on some 
server by some automated process. The server is accessible on the public 
Web. The administrator of this service has agreements with numerous 
trusted sites, let's say a dozen sites, which are allowed to fetch this 
file using XHR (assuming the user is already logged in). The sites that 
fetch this file do not require authentication (e.g. one could be my portal 
page, which is just a static HTML page, without any server-side script). 
Other sites must not be allowed access to the file.

How does one configure the server to handle this case?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 December 2009 15:44:04 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT