Re: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

Thomas Roessler <tlr@w3.org> wrote on 04/14/2008 08:21:50 AM:

> On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote:
>
> > On the architecture side, Access Control is just plain wrong,
> > with the PEP on the client instead of the server, which requires
> > data to be sent along the pipe to the client, where the client is
> > trusted to discard the data if the user isn't allowed to see the
> > data; it is just plain architecturally wrong to transmit data
> > that is not meant to be seen.
>
> This seems to confuse the attacker model a bit.  It's not about the
> user not being permitted to see the data, it's about a web
> application from a different origin not being allowed to manipulate
> the data, even though the user is allowed to see the data.

The comment in question wasn't about CSRF or other data-setting attacks on
a server, but instead about how it is architecturally wrong to send data
that ultimately will be thrown out when it reaches the client. If I was
outside of the standards world and wrote some code that did this, I would
be embarrassed to show such an implementation during a code walkthrough.
The policy check should be done before the data is transmitted.

Jon