XBL2: access-control doesn't "prevent" unauthorized access; general security model "vague" from Thomas Roessler on 2007-07-06 (public-appformats@w3.org from July 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Sat, 7 Jul 2007 00:37:00 +0200
To: public-appformats@w3.org
Message-ID: <20070706223700.GA11667@raktajino.does-not-exist.org>

Section 8.2.2 takes a bit of a shortcut around cross-site data
access and scripting:

| User agents should implement a security mechanism such as the
| proposed <?access-control?> PI to prevent unauthorized
| cross-domain access. [ACCESSCONTROL]

 -- http://www.w3.org/TR/2007/CR-xbl-20070316/#scripting

The access-control processing-instruction (or, rather, the
specification around it) actually does not prevent unauthorized
cross-domain access, but rather expresses access authorizations that
extend beyond the current security model.

There's similarly misleading language in section 1.5:

| Data theft: A naïve implementation of XBL would allow any document
| to bind to bindings defined in any other document, and (since
| referencing a binding allows full access to that binding document's
| DOM) thereby allow access to any remote file, including those on
| intranet sites or on authenticated extranet sites.
| 
| XBL itself does not do anything to prevent this. However, it is
| strongly suggested that an access control mechanism (such as that
| described in [ACCESSCONTROL]) be used to prevent such cross-domain
| accesses unless the remote site has allowed accesses.

 -- http://www.w3.org/TR/2007/CR-xbl-20070316/#security


More generically, XBL is rather silent about its overall security
model, and admits so much in 8.2.2:

| Each document that runs script (including bound documents and
| binding documents) has a DocumentWindow object, a Window object, a
| global script scope, and a security context. In ECMAScript, the
| global script scope and the Window object are one and the same.
| 
| Note: This above paragraph is a vague description of the Web's
| de-facto scripting model. This specification depends on that
| model, but it hasn't yet been specified in detail. This
| specification will be updated when a suitable description is
| available.

...

| Scripting and security contexts are (or will be) described in the
| HTML5 specification. [HTML5]

 -- http://www.w3.org/TR/2007/CR-xbl-20070316/#scripting

It is somewhat surprising to find language like that at Candidate
Rec stage, to put it mildly.

Ideally, XBL2 would include a somewhat more mature presentation of
the security model and issues that arise.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Friday, 6 July 2007 22:37:05 UTC