[AC] new title, abstract and introduction from Anne van Kesteren on 2006-08-04 (public-appformats@w3.org from August 2006)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 04 Aug 2006 15:45:39 -0400
To: public-appformats@w3.org
Message-ID: <op.tdryidfh64w2qv@id-c0020.hsd1.ma.comcast.net>

They are a bit shorter than the current abstract and introduction, but I  
think they're clear enough and should address the concern raised by David  
Baron on this list[1]. (And also that from other people who did not  
explicitly raise it.)

I do think that we need to add some examples as well and perhaps a  
elaborate a bit more on the scenario that takes place (client does a  
request, gets headers back, verifies, gets a bit of the content, verifies,  
denies/allows/default), but I think we can do that after we agreed on the  
syntax and the specific way of handling HTTP headers and XML processing  
instructions (when combined).


===
Title: Access Control for Web Pages

Abstract: This document provides two mechanisms for a page to relax  
typical cross-site scripting restrictions on accessing it. Using either a  
HTTP header or XML processing instruction (or both) documents can indicate  
they can be accessed from domain <var>A</var>, but not from domain  
<var>B</var>, et cetera.

Introduction: Web browsers disallow a script on domain <var>A</var> to  
access content on domain <var>B</var>, because of security considerations.  
Authors resort to proxying the content through the domain hosting their  
application (<var>A</var>) thereby increasing overhead and limiting  
scalability. Access Control for Web Pages enables a way for authors to  
declare that the content on domain <var>B</var> may in fact be accessed by  
domain <var>A</var> by means of a HTTP header or XML processing  
instruction (or both).

The HTTP header and XML processing instruction are designed explicitly to  
enable extending the "sandbox" and are not meant as a restriction  
mechanism. The expectation is that the user agent's default policy is more  
strict. Therefore, it is always safe to fall-back to default policy in the  
event of an error.

XXX: Is the above paragraph correct?
===


[1]<http://www.w3.org/mid/20060802183014.GA24161@ridley.dbaron.org>


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 4 August 2006 19:45:52 UTC