- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 17 Dec 2007 22:33:41 -0800
- To: "Doyle, Bill" <wdoyle@mitre.org>, "WAF WG (public)" <public-appformats@w3.org>
Doyle, Bill wrote: > 1. The cross-site scripting protocol must include strong > cryptographic mechanisms to ensure that the server can restrict use of > the capabilities to authenticated and authorized clients. The third party site can require that all communication between the third party server and the browser is done using https by simply denying all access requests done through any other means. The third party site can also require that all communication between the browser and the requesting site is done over https by only white-listing https servers. Does this satisfy the request? Additionally, it is possible to extend this further in the future by adding additional attributes to require even stronger protection. This is done in a forwards compatible manner by saying that a current implementation that sees any unrecognized attributes must deny access. > 2. The protocol must provide the ability for a server to support > fine grained access control. e.g. a server should be able to limit write > access to a specific client noted in item 1. Any type of access, including write access can be limited according to the rules described above. > 3. Protocol must be able to restrict inheritance of a clients > access control rights by other clients. I don't quite understand this question. > 4. Resources must be protected until access is granted; the > security consideration that resources are not revealed is not strong enough. The only requests that can be made without explicit authorization are GET requests. These requests are already possible today. The site should be protected from any other requests until it grants access. Best Regards, Jonas Sicking
Received on Tuesday, 18 December 2007 06:33:13 UTC