- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 06 Jul 2007 17:19:38 -0700
- To: "WAF WG (public)" <public-appformats@w3.org>
Thomas Roessler wrote: > Section 8.2.2 takes a bit of a shortcut around cross-site data > access and scripting: > > | User agents should implement a security mechanism such as the > | proposed <?access-control?> PI to prevent unauthorized > | cross-domain access. [ACCESSCONTROL] > > -- http://www.w3.org/TR/2007/CR-xbl-20070316/#scripting > > The access-control processing-instruction (or, rather, the > specification around it) actually does not prevent unauthorized > cross-domain access, but rather expresses access authorizations that > extend beyond the current security model. I agree the language is wrong, though the intent is right. It would be better to say something like: User agents should implement a security mechanism such as the proposed <?access-control?> PI to allow cross-domain access to XBL documents. [ACCESSCONTROL] > There's similarly misleading language in section 1.5: > > | Data theft: A naïve implementation of XBL would allow any document > | to bind to bindings defined in any other document, and (since > | referencing a binding allows full access to that binding document's > | DOM) thereby allow access to any remote file, including those on > | intranet sites or on authenticated extranet sites. > | > | XBL itself does not do anything to prevent this. However, it is > | strongly suggested that an access control mechanism (such as that > | described in [ACCESSCONTROL]) be used to prevent such cross-domain > | accesses unless the remote site has allowed accesses. > > -- http://www.w3.org/TR/2007/CR-xbl-20070316/#security Similarly here, the wording can be improved: XBL itself does not do anything to prevent this. However, it is strongly suggested that same-origin policies be used to prevent such cross-domain accesses together with access control mechanisms (such as that described in [ACCESSCONTROL]) to allow cross-domain access when the remote site has allowed access. / Jonas
Received on Saturday, 7 July 2007 00:19:53 UTC