Re: XBL2: access-control doesn't "prevent" unauthorized access; general security model "vague"

Thomas Roessler wrote:
> Section 8.2.2 takes a bit of a shortcut around cross-site data
> access and scripting:
> 
> | User agents should implement a security mechanism such as the
> | proposed <?access-control?> PI to prevent unauthorized
> | cross-domain access. [ACCESSCONTROL]
> 
>  -- http://www.w3.org/TR/2007/CR-xbl-20070316/#scripting
> 
> The access-control processing-instruction (or, rather, the
> specification around it) actually does not prevent unauthorized
> cross-domain access, but rather expresses access authorizations that
> extend beyond the current security model.

I agree the language is wrong, though the intent is right. It would be
better to say something like:

User agents should implement a security mechanism such as the
proposed <?access-control?> PI to allow cross-domain access to XBL
documents. [ACCESSCONTROL]

> There's similarly misleading language in section 1.5:
> 
> | Data theft: A naïve implementation of XBL would allow any document
> | to bind to bindings defined in any other document, and (since
> | referencing a binding allows full access to that binding document's
> | DOM) thereby allow access to any remote file, including those on
> | intranet sites or on authenticated extranet sites.
> | 
> | XBL itself does not do anything to prevent this. However, it is
> | strongly suggested that an access control mechanism (such as that
> | described in [ACCESSCONTROL]) be used to prevent such cross-domain
> | accesses unless the remote site has allowed accesses.
> 
>  -- http://www.w3.org/TR/2007/CR-xbl-20070316/#security

Similarly here, the wording can be improved:

XBL itself does not do anything to prevent this. However, it is
strongly suggested that same-origin policies be used to prevent such
cross-domain accesses together with access control mechanisms (such as
that described in [ACCESSCONTROL]) to allow cross-domain access when the
remote site has allowed access.

/ Jonas

Received on Saturday, 7 July 2007 00:19:53 UTC