Re: ISSUE-18: Is JSONRequest an acceptable alternative to the current model? [Access Control] from Jonas Sicking on 2008-01-06 (public-appformats@w3.org from January 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 06 Jan 2008 00:30:32 -0800
To: Jon Ferraiolo <jferrai@us.ibm.com>
Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>, "Close, Tyler J." <tyler.close@hp.com>
Message-ID: <478091A8.7080303@sicking.cc>

Jon Ferraiolo wrote:
>  > You failed to reply to the XSLT and XBL remarks that the JSON thingie 
>  > does not address. These are important use cases.
> 
> IMO the JSON use case is a couple of orders of magnitude more important 
> than the XSLT or XBL requirements. JSON is a primary format for 
> cross-site data exchange today, and is likely to grow in usage in the 
> coming years as more people discover its virtues.

It's very hard to do a fair comparison between JSON and cross-site XHR 
given that only JSON actually works today. So of course it's going to be 
the primary format today.

> Overall, I would prefer it if browsers would adopt JSONRequest rather 
> than Access Control. JSONRequest was designed carefully from a security 
> perspective, such as the random delay feature. It achieves its results 
> *without* sending cookies (the cookie feature in Access Control scares 
> lots of us because of CSRF issues). I recognize that the WAF committee 
> has spent lots of time and effort on the existing Access Control, but I 
> think the community would be better served by having browsers implement 
> JSONRequest instead. (JSONRequest would be even better if it allowed XML 
> data in addition to JSON data.)

I'm not sure why you think there's an either-or scenario here. Firefox 3 
will most likely support both JSONRequest (or some variant thereof, I'm 
not directly working on that part) as well as cross-site XHR using 
access-control.

A lot of people has said that sending cookies and auth credentials 
'scares' them, however no one has been able to show that it does in fact 
introduce new attack vectors.

I'm also very curious to hear how JSONRequest intends to do 
authentication without sending cookies or auth credentials. Does it work 
with existing deployed servers? Can I write a CGI script on an existing 
apache server, or an ASP page on an existing IIS server that 
authenticates the JSONRequest?

> For XSLT and XBL, shouldn't browsers allow cross-site (GET) access in 
> the same way it does for CSS stylesheets and SCRIPT tags?

Now *that* if anything would introduce new attack vectors, no? I 
personally hate the fact that CSS and SCRIPT can load data cross site 
and I would love to disable that ability in firefox and replace it with 
something more secure. Unfortunately that would break the web :(

/ Jonas

Received on Sunday, 6 January 2008 08:30:45 UTC