W3C home > Mailing lists > Public > www-voice@w3.org > January to March 2006

Re: <?access-control?> allows privelege escalation attacks with many embedding mechanisms

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 19 Feb 2006 18:37:27 -0800
Message-Id: <71AEF1AC-DAFF-4EB1-A9D2-F163BF7F267F@apple.com>
Cc: Brad Porter <bwporter@tellme.com>, Anne van Kesteren <annevk@opera.com>, www-voice@w3.org, public-webapi@w3.org, public-appformats@w3.org, mozilla-xbl@mozilla.org
To: Ian Hickson <ian@hixie.ch>


On Feb 19, 2006, at 6:32 PM, Ian Hickson wrote:

> On Sat, 18 Feb 2006, Maciej Stachowiak wrote:
>>
>> I thought about this some more, and it no longer makes sense to  
>> me. If
>> off-site XBL runs in the security context of the referencing  
>> document,
>> not the XBL document, then why would <?access-control?> be useful?
>
> You want to prevent people from being able to use off-site XBL files
> without those files being intended for that purpose because  
> otherwise you
> would be allowed to fetch any arbitrary XML on any site (including,  
> e.g.,
> authenticated extranet or intranet sites).

OK, makes sense for this use case. Thanks for the explanation. I did  
not think of the XBL file itself as potentially being the target of  
unauthorized data access.

Regards,
Maciej
Received on Monday, 20 February 2006 02:38:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 October 2006 12:49:02 GMT