W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 21 Dec 2009 22:39:31 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0912212237480.15825@hixie.dreamhostps.com>
On Mon, 21 Dec 2009, Tyler Close wrote:
> 
> No, there is a difference in access-control between the two designs.
> 
> In the two header design:
> 1) An XHR GET of the XBL file data by example.org *is* allowed.
> 2) An <xbl> import of the XBL data by example.org triggers a rendering error.

That's a bad design. It would make people think they had secured the file 
when they had not.

Security should be consistent across everything.


> In the one header design:
> 1) An XHR GET of the XBL file data by example.org is *not* allowed.
> 2) An <xbl> import of the XBL data by example.org triggers a rendering error.

That's what I want.


> Under the two header design, everyone has read access to the raw bits
> of the XBL file.

That's a bad thing.


> The one header design makes an empty promise to protect read access to 
> the XBL file.

How is it an empty promise?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 21 December 2009 22:39:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT