W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Semi-public resources in Uniform Messaging

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 9 Dec 2009 09:53:44 -0800
Message-ID: <5691356f0912090953j519db31t9d5cf188b14f8d72@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps@w3.org
On Wed, Dec 9, 2009 at 7:43 AM, Ian Hickson <ian@hixie.ch> wrote:
> Ok, let's move on to a more complex case.
>
> Consider a static resource that is protected by a cookie authentication
> mechanism. For example, a per-user static feed updated daily on some
> server by some automated process. The server is accessible on the public
> Web. The administrator of this service has agreements with numerous
> trusted sites, let's say a dozen sites, which are allowed to fetch this
> file using XHR (assuming the user is already logged in). The sites that
> fetch this file do not require authentication (e.g. one could be my portal
> page, which is just a static HTML page, without any server-side script).
> Other sites must not be allowed access to the file.
>
> How does one configure the server to handle this case?

Again going with the simplest thing that could possibly work:

Each of the per-user static feeds is referenced by a unique
unguessable URL of the same format used in the previous example. For
example,

https://example.com/user123/?s=42tjiyrvnbpoal
https://example.com/user456/?s=sdfher34nvl34
...

Again, a GET response from such a URL carries the same-origin opt-out header.

The user gives this URL only to those services he wants to access the
feed. For example, you could copy this URL into your personal static
HTML page that acts as your portal.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 9 December 2009 17:54:24 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT