[whatwg] Re: Cross Domain Policies from Doron Rosenberg on 2004-07-28 (public-whatwg-archive@w3.org from July 2004)

From: Doron Rosenberg <doronr@gmail.com>
Date: Tue, 27 Jul 2004 23:29:04 -0200
Message-ID: <6814aebd04072718295c235d66@mail.gmail.com>
On Tue, 27 Jul 2004 09:18:14 +0100, Jim Ley <jim.ley at gmail.com> wrote:
> On Mon, 26 Jul 2004 17:07:33 -0500, Doron Rosenberg <doronr at gmail.com> wrote:
> > Cross domain scripting is easily doable in all browsers today, and it
> > won't change.  Any domain can include javascript files from any other
> > domain.  That allows 2 way communications.  Done.
> 
> Indeed, but that's a completely different threat scenario to access
> non javascript files across domains.   I think you're being very
> misleadin about why cross domain access to URLS are blocked.
> 

No one is talking about file access, its access to services.

> > This doesn't make web services less secure - most programing toolkits
> > allow cross domain web services without any restrictions.
> 
> Most programming toolkits aren't run in a browser!  This _DOES_ make
> Mozilla SOAP in secure, I have SOAP services running on this intranet
> which are protected purely by the fact they're behind the firewall,
> any machine here can access them, those outside cannot - However,
> www.anydomain.org can use them easily, if someone happens to drop an
> XML file in the root.

A XML file named a certain way with a certain syntax.  If you have
SOAP services that don't authenticate in some sort of way, that is
your own problem.  As long as browsers have cross domain issues, you
should always authenticate, even in an intranet.

Oh, and Macromedia Flex, flash based XUL, can set this pref on the
server, meaning any server could set your intranet as a place to do
cross domain calls :)
> 
> > If they want to restrict, they can use username/passwords to do that,
> > as does Google.
> 
> This is orthogonal to the ability of a webbrowser to make the request.
> 
> > The only reason we didn't allow cross domain web services access are
> > intranets - since mozilla does the actually SOAP connection, user A in
> > a workplace with internet and intranet access could get to evil.com,
> > which talks to an intranet web service.
> 
> Ah, so you do understand the problem, unfortunately though, you don't
> actually realise that not all "intranets" are quite so simple as you
> describe for Mozilla to know.
> 
> This is not secure, and I ask you again, How do I disable this ability
> in Mozilla, it is laxxer security, please do not pretend otherwise
> with your "cross frame scripting is always possible" and can you
> please tell me how to disable this 'feature' in Mozilla.
> 
> For the other browser vendors in WHATWG - Do not implement this.
> 
> Jim.

I still don't see any reason why the Mozilla way is unsecure.  Unless
a magical XML file appears out of nowhere, and an evil.com someone
knew the exact location of a internal webserivce that doesn't
authenticate.

As for a pref to disable this, there is none I believe.  File a bug if
you want one, would be trivial to implement.
Received on Tuesday, 27 July 2004 18:29:04 UTC