W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 17 Dec 2009 15:54:01 -0800
Message-ID: <5691356f0912171554p116dded1o81dda15dfe2a010c@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Thu, 17 Dec 2009, Tyler Close wrote:
>> On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson <ian@hixie.ch> wrote:
>> > One of the big reasons to restrict which origin can use a particular
>> > resource is bandwidth management. For example, resources.example.com
>> > might want to allow *.example.com to use its XBL files, but not allow
>> > anyone else to directly use the XBL files straight from
>> > resources.example.com.
>>
>> An XBL file could include some JavaScript code that blows up the page if
>> the manipulated DOM has an unexpected document.domain.
>
> This again requires script. I don't deny there are plenty of solutions you
> could use to do this with script. The point is that CORS allows one line
> in an .htaccess file to solve this for all XBL files, all XML files, all
> videos, everything on a site, all at once.

I'm not trying to deny you your one line fix. I'm just saying it
should be a different one line than the one used for access control.
Conflating the two issues, the way CORS does, creates CSRF-like
problems. Address bandwidth management, along with other embedding
issues, while standardizing an <iframe> busting technique.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Thursday, 17 December 2009 23:54:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT