- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 4 Jul 2012 16:08:33 +0200
- To: WebID <public-webid@w3.org>, Read-Write-Web <public-rww@w3.org>
- Message-Id: <987CD9CF-3D14-493C-B08F-EB086D9BF853@bblfish.net>
I am just working on CORS [1] and would like to point out some similarities I am noticing there with the work on Delegation we have been speaking of previously [2] and will help make the case for it. Identification of the agent that one is acting on behalf of In CORS (as in Delegation) there is an agent making a request on a resource that is passing through an intermediate agent. In CORS the final agent receiving the information is some JavaScript being executed in the browser. The browser is hosting another agent - the javascript symbiont (that may be a parasite), which can communicate back with the home web site. The browser is acting in the role of the secretary - it is known as the User-Agent - and it wishes to act on behalf of some hosted agent (identified as the service it can communicate with directly: the origin web site). When the browser makes an HTTP request on behalf of such a javascript agent it needs to identify the agent it is working for. It does this with the "Origin" header GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://foo.example/examples/access-control/simpleXSInvocation.html Origin: http://foo.example Parallel 1: Origin as Acting-on-behalf-of This Origin header is saying in effect: the request for this resource is destined to an agent that comes from http://foo.example/ and can communicate with that web site. In this the Origin header is somewhat similar to our Acting-on-behalf-of: header. The browser is using the authentication credentials of the user, but acting for another agent. The parallel here is very strong. What are the differences? I am not sure if any service uses the information about the Origin to restrict access to information. Perhaps banks do this, because they don't trust that javascript from another site is not passing the information along to someone else. Restrictions on who can see what The CORS standard was initially called "Access Control for Cross-Site Requests" [4], and this was later changed to "Cross-Origin Resource Sharing", and a trace of the original thinking remains in the name of the HTTP headers. It is easy to see why this change was made, as CORS is not dealing with access control on the server side as we usually think of it, because the server serving the resource is not refusing to release information - well often this is the case - but it is rather adding information restricting how the resource can be used by XMLHttpRequest agents. The server (let us call it http://foo.example ) does this by adding HTTP headers such as the following to the resources it releases: (a) Access-Control-Allow-Origin: * or (b) Access-Control-Allow-Origin: http://hello-world.example (a) is saying: everyone (specifically every javascript agent) can use this information, (b) is saying: this information should only be used by agents named as coming from hello-world.example. When none of the above are present then this means that XMLHttpRequests made by agents that do not come from the same domain as foo.example are not allowed to work with the data. CORS will say that these headers are statements to relax how the information can be used, not to restrict it, because by default XMLHttpRequests made by javascript agents coming from a different server are not allowed to see data or javascript from any other server at all... But we are in the same ball park. parallel 2: access control by transmission of policy With our proposal of adding an Acting-on-behalf-of: header there is also an assumed policy that needs to be made clear which is that the secretary is not meant to pass that information on to other agents other than the one it is acting on behalf of. The difference here is that the agent that is following the policy is not the secretary/XMLHttpRequest agent but the browser. The browser acting on behalf of the user is receiving the information from a web site, with an access control restriction ( Access-Control-Allow-Origin: ) and is deciding whether or not it is authorised to pass it on to the potential javascript virus. This would be similar to a Web Server adding restrictions on who can do what with some information. In our Authorization Delegation scenario we could imagine that a server only releases information to Secretary Agents that it knows can reason with Access Control Ontologies and add a header to a request such as Access-Control-Restrictions: /acl#foaf HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 00:23:53 GMT Server: Apache/2.0.61 Access-Control-Restrictions: /acl#foaf Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/xml where at the resource /acl a #foaf restriction would describe precisely who (what group of agents) can see the resource. To be close to the CORS example we would have Access-Control-Only: http://bblfish.net/#hjs , http://joe.name/#me But that could get to be quite long. PUT/POST/DELETE Until now we have only really considered in our Authorization Delegation sketches [3][2], what we are doing with respect to indempotent GET Requests. CORS also has done some work with respect to PUT/POST/DELETE [5] with Preflight Requests. Here the browser - acting again as a secretary - is checking before making a non-indempotent request whether those actions would be authorised if known to be coming from that other agent. I think one could apply the same procedure to our Authorization delegation which would need something like preflight-requests for the Acting-on-behalf-of header. I could take the example from the Mozilla web site and adapt it to use the Acting-on-behalf-of header, instead of the Origin header. OPTIONS /resources/post-here/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Acting-on-behalf-Of: http://bblfish.net/#hjs Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Agent: http://bblfish.net/#hjs Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER Access-Control-Max-Age: 1728000 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 0 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/plain POST /resources/post-here/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive X-PINGOTHER: pingpong Content-Type: text/xml; charset=UTF-8 Referer: http://foo.example/examples/preflightInvocation.html Content-Length: 55 Acting-on-behalf-Of: http://bblfish.net/#hjs Pragma: no-cache Cache-Control: no-cache <?xml version="1.0"?><person><name>Arun</name></person> [ NOTE: here WebID Authentication takes place ! ] HTTP/1.1 200 OK Date: Mon, 01 Dec 2008 01:15:40 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Origin: http://foo.example Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 235 Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: text/plain Having written this out it seems to me that the parallels are very strong here, and that we are dealing within the same logical domain. With WebID authentication we can be a lot more precise as to what the agents are - we don't need to limit ourselves to a whole domain. Henry [1] https://developer.mozilla.org/en/http_access_control#Origin [2] http://www.w3.org/wiki/WebID/Delegation [3] http://lists.w3.org/Archives/Public/public-webid/2012Jun/0012.html [4] The older versions of the standard were called "Access Control for Cross-Site Requests" eg: http://www.w3.org/TR/2008/WD-access-control-20080912/ [5] https://developer.mozilla.org/en/http_access_control#Preflighted_requests Social Web Architect http://bblfish.net/
Received on Wednesday, 4 July 2012 14:09:07 UTC