[Editorial Draft] Access Control for Cross-site Requests Requirements

Editor's Draft 08 January 2009

This version:
TBD-20090108.html ( xml )
Latest version:
TBD
Previous version:
Unapproved Editors Drafts:
Editor:
David Orchard, BEA Systems, Inc. <David.Orchard@BEA.com>

Copyright © 2008 W3C® (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use, and software licensing rules apply.

Abstract

This document provides goals, requirements and usage scenarios for Access Control for Cross-site requests.

Status of this Document

This document is an editors' copy that has no official standing.

This document has been developed for discussion by the Web Application Formats Working Group. It does not yet represent the consensus opinion of the Working Group.

Please send comments to the WAF Working Group's public mailing list public-appformats@w3.org with access-control] at the start of the subject line. Archives of this list are available. See also W3C mailing list and archive usage guidelines.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Publication of this document does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time.

Please send comments on this finding to the publicly archived TAG mailing list www-tag@w3.org (archive).

Table of Contents

1. Goals
2. Usage Scenarios
3. Requirements
    3.1 Terminology
    3.2 Control in hands of server
    3.3 No server software changes
    3.4 Use of GET without any Scripting
    3.5 Configurable on per-resource basis
    3.6 Configurable without main site admin intervention
    3.7 No new XSS attacks when user changes client
    3.8 No new XSS attacks when author changes server
    3.9 No access granted because of caching.
4. Acknowledgements

Appendix

A. Change Log (Non-Normative)

1. Goals

A goal of the Web Applications Format Working Group is to produce a mechanism that enables the specification of access control for cross-site requests.

2. Usage Scenarios

3. Requirements

3.1 Terminology

The terms MUST, SHOULD and MAY are used in the RFC 2119 sense.

3.2 Control in hands of server

AC4CSR MUST leave the control in the hand of the server. Ednote: I have no idea what this means

3.3 No server software changes

AC4CSR MUST be implemented without changing the actual server software

3.4 Use of GET without any Scripting

AC4CSR MUST use GET to provide files for cross-domain access without scripting of any kind of the server side.

Ednote: this seems like a design rather than a requirement. I think the real requirement is an HTTP method that works with most/all server software and the problem with non-GET is apache.

3.5 Configurable on per-resource basis

AC4CSR MUST be configurable on a per-resource basis

3.6 Configurable without main site admin intervention

AC4CSR MUST be configurable without coordination with the main site administrator

3.7 No new XSS attacks when user changes client

AC4CSR MUST introduce no new XSS attack vectors when a user changes client, assuming the client is conforming to the new spec

3.8 No new XSS attacks when author changes server

AC4CSR MUST introduce no new XSS attack vectors when an author changes server, assuming the server is conforming to the new spec

3.9 No access granted because of caching.

AC4SR MUST not introduce the risk of caches inadvertently allowing access when it should not be allowed.

4. Acknowledgements

A. Change Log (Non-Normative)

Table A-1. Changes
WhoWhenWhat
DBO20080108Initial revision.