]>
[Editorial Draft] Access Control for Cross-site Requests Requirements &basename;-&iso6.doc.date; Editors Draft &draft.day; &draft.monthname; &draft.year; &draftname;.html ( xml ) TBD Unapproved Editors Drafts: David Orchard BEA Systems, Inc. David.Orchard@BEA.com

Copyright © 2003 W3C ® (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use, and software licensing rules apply.

This document provides goals, requirements and Use Cases for Access Control for Cross-site requests.

This document has been developed for discussion by the Web Application Formats Working Group. It does not yet represent the consensus opinion of the Working Group.

Please send comments to the WAF Working Group's public mailing list public-appformats@w3.org with access-control] at the start of the subject line. Archives of this list are available. See also W3C mailing list and archive usage guidelines.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Publication of this document does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time.

Please send comments on this finding to the publicly archived TAG mailing list www-tag@w3.org (archive).

Created in electronic form.

 English 2008-01-08: Published draft
Goals

A goal of the Web Applications Format Working Group is to produce a mechanism that enables the specification of access control for cross-site requests.

Usage Scenarios Requirements Terminology

The terms MUST, SHOULD and MAY are used in the RFC 2119 sense.

 Control in hands of server

AC4CSR MUST leave the control in the hand of the server. Ednote: I have no idea what this means

 No server software changes

AC4CSR MUST be implemented without changing the actual server software

 Use of GET without any Scripting

AC4CSR MUST use GET to provide files for cross-domain access without scripting of any kind of the server side.

Ednote: this seems like a design rather than a requirement. I think the real requirement is an HTTP method that works with most/all server software and the problem with non-GET is apache.

 Configurable on per-resource basis

AC4CSR MUST be configurable on a per-resource basis

 Configurable without main site admin intervention

AC4CSR MUST be configurable without coordination with the main site administrator

No new XSS attacks when user changes client

AC4CSR MUST introduce no new XSS attack vectors when a user changes client, assuming the client is conforming to the new spec

 No new XSS attacks when author changes server

AC4CSR MUST introduce no new XSS attack vectors when an author changes server, assuming the server is conforming to the new spec

 No access granted because of caching.

AC4SR MUST not introduce the risk of caches inadvertently allowing access when it should not be allowed.

 Acknowledgements

Change Log
Changes
Who When What
DBO 20080108 Initial revision.