W3C home > Mailing lists > Public > public-appformats@w3.org > September 2007

Re: Request for Comments on Enabling Read Access for Web Resources

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 20 Sep 2007 15:55:51 +0200
To: "Williams, Stuart (HP Labs, Bristol)" <skw@hp.com>, "Arthur Barstow" <art.barstow@nokia.com>
Cc: public-appformats@w3.org
Message-ID: <op.tyygzdpa64w2qv@annevk-t60.oslo.opera.com>

On Wed, 29 Aug 2007 17:12:44 +0200, Williams, Stuart (HP Labs, Bristol)  
<skw@hp.com> wrote:
> 1) The TAG would like the introduction to the document to contain a
> fuller account of the rationale behind the existing UA sandbox policy and
> the attacks that it is intended to guard against. For example, we  
> believe that
> one of the key use-cases that the sandbox policy is intended to address  
> is
> leakage of confidential information from behind a firewall arising from
> either accidental or malicious scripted behaviour executing within the  
> UA.

That is correct. I mentioned this now in the introduction:  
http://dev.w3.org/2006/waf/access-control/Overview.html#introduction


> We would then like the document to indicate whether there are
> situations where implementation of the Read Access Control Policy
> mechanism would make a UA and the network to which it is attached any  
> more vulnerable to
> attack.
>
> We think that the increased risk is probably small, but we believe
> that the document should present more analysis than it does at present.

I tried making this more clear in the security section:  
http://dev.w3.org/2006/waf/access-control/Overview.html#security


My apologies for the late reply. I've been busy with some other tasks.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 20 September 2007 13:56:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:19 UTC