W3C home > Mailing lists > Public > www-forms@w3.org > August 2004

Re: XForms - Secure or Insecure?

From: T. V. Raman <tvraman@us.ibm.com>
Date: Wed, 25 Aug 2004 11:14:07 -0700
Message-ID: <16684.55023.451850.819194@bubbles.almaden.ibm.com>
To: bobbateman@sequoiallc.com
Cc: www-forms@w3.org

I think Aaron might be confusing cross-site scripting attacks
with cross-site Web Service invocations.

The former --- as evinced by all of today's heavily scripted Web
is a dangerous hole, and one should certainly not allow for code
that comes from one site to execute within another --- leave
alone code across sites executing in the same page.

The world of Web Services is *different* from cross-site
scripting; The whole  point is that a Web Service allows a
provider to expose a  specific piece of information in a form
that is independent of browser-specific HTML; no presentation, no
scripts please--
and the "last mile of web services" -- which is what ForsPlayer
with Web Services demonstrates today --- i.e. integrating data
from different Web Services into a consistent whole---
is still achieved with no cross-site scripting.

So let's keep our threads untangled:

Cross-site scripting: BAD
Cross-Site Web Services Integration: GOOD

>>>>> "Robert" == Robert Bateman <bobbateman@sequoiallc.com> writes:
    Robert> Aaron,
    Robert> On Tuesday 24 August 2004 04:49 pm, Aaron Reed wrote:
    >> I also have a question about XForms security.  For
    >> example, the formsPlayer example at:
    >> http://www.formsplayer.com/community/samples/google-search.html.
    >> Running this example in a browser should raise eyebrows.
    >> Submitting SOAP to domains DIFFERENT from the one where
    >> the page was downloaded and REPLACING content in the
    >> current page so that the user doesn't have any kind of cue
    >> that something just happened seems like the kind of power
    >> for a form that we don't want to encourage (in a browser
    >> context, at least).  Is
    Robert> I can't disagree with you more here...
    Robert> Why should the user care that a SOAP message was sent
    Robert> to a domain and the results displayed on the screen?
    Robert> If you are concerned about sending a SOAP message to
    Robert> a secure site, there are WS-xxxx standards that are
    Robert> developed / being developed that address security.
    Robert> But getting back to the original Xforms example, lets
    Robert> change the example a little bit.  Lets say I have
    Robert> created a nifty portal for all users of the
    Robert> Blackberry(tm).  Thru my portal, my subscribers can
    Robert> book flights, hotels, cars, check traffic, get
    Robert> directions, weather updates, and more.
    Robert> Is it smarter for me to send a SOAP message to a
    Robert> hotel to make or alter a reservation or to open a
    Robert> window?  Too many of todays browser exploits exist
    Robert> because the browser executes arbitrary code.  In the
    Robert> case of SOAP, there is no code to execute at the
    Robert> client.  The results of the SOAP message are data
    Robert> that is acted upon or rendered.
    Robert> And for those cases where I have to worry about
    Robert> security or authentication, the community is working
    Robert> on those very issues.  But I suspect that you and I
    Robert> will not have to worry about those things in most of
    Robert> the work we will see in the near future.
    Robert> Of course, these are just my opinion.
    Robert> Bob

Best Regards,
T. V. Raman:  PhD (Cornell University)
IBM Research: Human Language Technologies
Architect:    Conversational And Multimodal WWW Standards
Phone:        1 (408) 927 2608   T-Line 457-2608
Fax:        1 (408) 927 3012     Cell: 1 650 799 5724
Email:        tvraman@us.ibm.com
WWW:      http://almaden.ibm.com/u/tvraman
AIM:      TVRaman
GPG:          http://www.almaden.ibm.com/cs/people/tvraman/raman-almaden.asc
Snail:        IBM Almaden Research Center,
              650 Harry Road
              San Jose 95120
Received on Wednesday, 25 August 2004 18:14:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:36:13 UTC