- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Mon, 2 Oct 2006 11:56:37 -0700
- To: Brad Porter <brad@tellme.com>
- Cc: public-appformats@w3.org
The examples including Access-Control HTTP headers don't properly
delimit them (with "<>"). Please fix ASAP, as this will lead people
to do the wrong thing.
Cheers,
On 2006/09/29, at 3:43 PM, Brad Porter wrote:
> Given I merged 4 distinct documents, some editorial review would be
> appreciated.
> Anne, I changed "Web Page" to "Web Document" in the title as at
> least for me, web page means HTML and web document means any kind
> of resource. If I'm the only one who has this mental model, I am
> happy to change it back.
>
> Dean, should I add you to the list of editors?
>
> Brad
>
>
> Access Control for Web Documents W3C Working Group Working Draft 19
> September 2006 This version: http://www.w3.org/TR/@@@@/ Latest
> version: http://www.w3.org/TR/@@@@/ Editors: Brad Porter, Tellme
> Networks (Editor-in-Chief) Anne van Kesteren, Opera Matt Oshry,
> Tellme NetworksRJ Auburn, Voxeo Corporation
> Copyright ©2006 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C
> liability, trademark and document use rules apply.
>
> Abstract
> This document provides two mechanisms for a web document to relax
> typical cross-site scripting restrictions on accessing it. Using
> either a HTTP header or XML processing instruction (or both)
> documents can indicate they can be accessed from domain A, but not
> from domain B, et cetera.
>
> This document is based on the W3C's 13 June 2005 Working Group Note
> Authorizing Read Access to XML Content Using the <?access-control?>
> Processing Instruction 1.0 [AC-NOTE].
>
> Status of this Document
> This section describes the status of this document at the time of
> its publication. Other documents may supersede this document. A
> list of current W3C publications and the latest revision of this
> technical report can be found in the W3C technical reports index at
> http://www.w3.org/TR/.
>
> This is the @@ September 2006 Working Draft of the Authorizing Read
> Access to XML Content Using the <?access-control?> Processing
> Instruction, the first publication of this specification. This
> document is produced by a Task Force of the Voice Browser, Web API
> and Web Application Formats (WAF)Working Groups under the auspices
> of the WAF Working Group. The Web API and Web Application Formats
> Working Groups are part of the Rich Web Clients Activity and the
> Voice Browser Working Group is part of the Voice Browser Activity.
> Both of these Activities are within the W3C's Interaction Domain.
>
> The W3C has not analyzed the security problems which motivated the
> publication of this document. This document only addresses a subset
> of the security issues involved in exposing XML data over HTTP.
> This document documents an existing practice used under certain
> circumstances but in no way implies that the technique would be
> appropriate or secure to protect document access under all
> circumstances. Implementors should perform their own security
> analysis.
>
> The public is encouraged to send comments to the WAF Working
> Group's public mailing list public-appformats@w3.org (archive). See
> W3C mailing list and archive usage guidelines.
>
> This document was produced by a group operating under the 5
> February 2004 W3C Patent Policy. The W3C maintains a public list of
> any patent disclosures made in connection with the deliverables of
> the group; that page also includes instructions for disclosing a
> patent. An individual who has actual knowledge of a patent which
> the individual believes contains Essential Claim(s) must disclose
> the information in accordance with section 6 of the W3C Patent Policy.
>
> Publication as a Working Draft does not imply endorsement by the
> W3C Membership. This is a draft document and may be updated,
> replaced or obsoleted by other documents at any time. It is
> inappropriate to cite this document as other than work in progress.
>
> Table of Contents
> 1 Introduction
> 2 <?access-control?> Processing Instruction Algorithm
> 3 Security Considerations for User Agent Implementors and
> Application Authors
>
> Appendix
> A References
>
> 1 Introduction
> Web browsers disallow a script or page on domain A to access
> content on domain B, because of security considerations. Authors
> resort to proxying the content through the domain hosting their
> application (A) thereby increasing overhead and limiting
> scalability. Access Control for Web Documents enables a way for
> authors to declare that a document on domain B may in fact be
> accessed by domain A by means of a HTTP header or XML processing
> instruction (or both).
>
> The HTTP header and XML processing instruction are designed
> explicitly to enable extending the "sandbox" and are not meant as a
> restriction mechanism. The expectation is that the user agent's
> default policy is more strict. Therefore, it is always safe to fall-
> back to default policy in the event of an error.
>
> 2 <?access-control?> Processing Instruction Algorithm
> The user agent is responsible for validating that the requesting
> document (A) is allowed to access the contents of the requested
> document (B). This validation is performed by comparing the URL of
> document A with the access-control rules provided by document B.
>
> Access-control rules are specified in the Content-access-control
> HTTP header returned with the requested document (B). In addition,
> the access-control rules may be returned in an <?access-control?>
> processing instruction included in the XML prolog of the requested
> document (B).
>
> All rules provided must be used. If any rules are not well-formed
> for any reason, the user agent must fall-back to it default
> security policy. User agents must not use partial or incomplete
> information for comparison.
>
> There are two types of rules: allow and deny.
>
> Each rule has an associated URI pattern or patterns which may
> contain the '*' character as a wildcard. Wildcards may be placed
> anywhere in a URI string. Substring matches are not performed.
> Wildcards have the following rules:
>
> A single wildcard ('*') may be used to grant access to any web
> resource.
> A wildcard may be used in places of the enter protocol handler.
>
> *://example.com is allowed; http*:// is not allowed
>
> A wildcard may replace one level of hostname definition.
>
> http://*.example.com does match http://www.example.com/
> http://*.example.com does NOT match http://test.www.example.com
>
> A wildcard may replace a single directory level.
>
> http://www.example.com/*/index.html does match http://
> www.example.com/test/index.html
> http://www.example.com/*/index.html does NOT match http://
> www.example.com/dev/test/index.html
>
> A wildcard at the end of the URI may represent multiple levels of
> directories and a document name.
>
> http://www.example.com/test/* matches http://www.example/com/test/a/
> b/c/index.html
>
> Multiple wildcards may be combined in the same pattern.
>
> *://*.example.com/test/* matches https://test.example.com/test/a/b/
> c/index.html
>
> Rules are considered least specific to most specific in the
> following order:
>
> Rules with a single wildcard.
> Rules with a wildcard in the host or domain name.
> Rules with a wildcard in the protocol designator.
> Rules with a wildcard in the hostname.
> Rules with a wildcard in the directory name.
> Rules with a tailing wildcard.
> Rules with no wildcards.
>
> Comparing a pattern to the requesting URI is performed by a
> bytewise comparison of the URI to the target.
>
> When multiple rules are present, they must be evaluated in the
> following order:
>
> Least specific rules come before more specific rules.
> At the same level of specificity, allow rules come before deny rules.
> Evaluation is performed by evaluating the requesting URL against
> each rule. The last rule whose target matches the requesting URL is
> used. In the event that no rule matches the requesting URL, the
> user agent must use its default policy to determine whether to
> allow the requesting URL access.
>
> Access-Control HTTP Header
> Any document retrieved via HTTP MAY have access control rules
> defined in the HTTP header.
>
> Access-Control = "Access-Control" ":" 1#access-control-rule
> access-control-rule = instruction SP "<" uripattern ">"
> instruction = "allow" / "deny" / token
> uripattern ; URI from RFC3986, replacing ; reg-name with wildcard-
> reg-name
> wildcard-reg-name = *( unreserved | pct-encoded | sub-delims | "{*}" )
> Both the header field name and value are case-insensitive.
>
> If the keyword "allow" is the instruction then the URI patterns for
> that header are added to the allow ruleset. If the keyword "deny"
> is the instruction then the URI patterns for that header are added
> to the deny ruleset.
>
> NOTE: The header name may change in future drafts.
>
> NOTE: Should extension instructions be allowed? Should they be
> ignored? eg. Ignoring allow-on-tuesday doesn't weaken the security
> policy but ignoring deny-on-tuesday will.
>
> Access Control Processing Instruction
> [1] AccessControlPI ::= '<?access-control' (S
> 'allow="'AccessList'"' | S "allow='"AccessList"'")? (S
> 'deny="'AccessList'"' | S "deny='"AccessList"'")? (S 'require-
> secure="'true'"' | "require-secure="'false'")? S? '?>'
> [2] AccessList ::= AccessItem (S AccessItem)* | '*'
> [3] AccessItem ::= HostName | PartialHostName | IPv4address |
> genericuri
> [4] PartialHostName ::= '*.' HostName
> As required by RFC2616, multiple Access-Control headers are
> combined in the order in which they are received. For example, the
> following two HTTP responses and XML Processing Instruction
> generate the same ruleset.
>
> ------------------------------------------------------------- HTTP/
> 1.1 200 OK Date: Wed, 23 Aug 2006 09:31:41 GMT Server: Apache/
> 1.3.37 (Unix) Content-Length: 32924 Content-Type: text/html;
> charset=utf-8 Access-Control: allow http://good.example.com, allow
> http://nice.example.com Access-Control: allow http://
> friendly.example.com, deny http://*.example.com HTTP/1.1 200 OK
> Date: Wed, 23 Aug 2006 09:31:41 GMT Server: Apache/1.3.37 (Unix)
> Content-Length: 32924 Content-Type: text/html; charset=utf-8 Access-
> Control: allow http://good.example.com, allow http://
> nice.example.com, allow http://friendly.example.com, deny http://
> *.example.com
> -------------------------------------------------------------
> An Access-Control header or processing instruction is in error if
> the value has incorrect syntax, that is if either the instruction
> or any uripattern is malformed. If any Access-Control header or
> processing instruction is in error then the User Agent should
> ignore all Access-Control headers and use its default security policy.
>
> 3 Security Considerations for User Agent Implementors and
> Application Authors
>
> The processing instruction is designed explicitly to enable
> extending the sandbox for access to XML content for "read". It is
> not designed to used to enforce sandboxing itself restriction or
> provided generalized trust validation. The expectation is that the
> user agent's default sandboxing policy is more strict. Therefore,
> it is always safe to fall-back to default policy in the event of an
> error.
>
> A user agent running inside a trusted corporate network and
> executing untrusted content should enforce a sandboxing policy by
> denying access. In contrast, it may be appropriate to relax this
> policy when the user agent is executing only trusted applications
> that requires access to arbitrary XML feeds on the local network.
> User agent vendors that allow this sandboxing policy to be
> configured are encouraged to provide guidance on the appropriate
> settings. It is critical that network administrators understand the
> security issues pertinent to their environment and configure their
> systems appropriately. In tandem, developers and web server
> administrators must be aware of the dangers of trusting a user
> agent that can be configured to disable sandboxing.
>
> User agents which implement this capability should take care not to
> expose other trusted data (cookies, HTTP header data)
> inappropriately. The access-control processing instruction is only
> designed to enable access to the XML content.
>
> User agents which implement this capability should also take care
> to properly normalize Unicode and to properly interpret IDNs to
> prevent URL spoofing attacks.
>
> Application authors should be aware that XML content retrieved from
> another site is not itself trustable. Authors should take care to
> protect against exposing themselves to cross-site scripting attacks
> by failing to validate the content returned or executing the
> retrieved content directly.
>
> A References AC-NOTE Authorizing Read Access to XML Content Using
> the <?access-control?> Processing Instruction 1.0, ed. Matt Oshry,
> Brad Porter, RJ Auburn. W3C Working Group Note, 13 June 2005. See
> http://www.w3.org/TR/access-control/. DOM3LS Document Object Model
> (DOM) Level 3 Load and Save Specification, ed. Johnny Stenback and
> Andy Heninger. W3C Recommendation, April 2004. See http://
> www.w3.org/TR/DOM-Level-3-LS/. RFC2616Hypertext Transfer Protocol
> -- HTTP/1.1, ed. R. Fielding et al. IETF RFC 2616, June 1999. See
> http://www.ietf.org/rfc/rfc2616.txt. RFC3986Uniform Resource
> Identifier (URI): Generic Syntax , ed. T. Berners-Lee et al. IETF
> RFC 3986, January 2005. See http://www.ietf.org/rfc/rfc3986.txt.
> VXML21VoiceXML 2.1, ed. Matt Oshry et al. W3C Candidate
> Recommendation, June 2005. See http://www.w3.org/TR/2005/CR-
> voicexml21-20050613/. XML Extensible Markup Language (XML) 1.0, ed.
> Tim Bray et al. W3C Recommendation, February 2004. See http://
> www.w3.org/TR/2004/REC-xml-20040204/.
--
Mark Nottingham
mnot@yahoo-inc.com
Received on Monday, 2 October 2006 18:57:16 UTC