- From: L. David Baron <dbaron@dbaron.org>
- Date: Tue, 8 Jan 2008 16:56:15 -0800
- To: David Orchard <dorchard@bea.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>, www-tag@w3.org
On Tuesday 2008-01-08 16:30 -0800, David Orchard wrote: > Substantive > ---------------- > PEP in the client > I'm concerned about the decision to have the client be a PEP, and the > commensurate need to create a new policy language. The Security Context > Working Group member Tyler's comments [2] and the extended discussion > have not convinced me that his proposed simplification, or some other > similar proposal, is not worth pursuing. I support continued > examination of a server-side only PEP. I believe this is issue #20 afore > the WG. I don't know what a "PEP" is, so I'm not exactly sure what you're saying, but given the existence of many sites that use cookies, being behind firewalls, or a combination of both to protect data, the role of the client in preventing cross-site access isn't going away anytime soon. There's no way we can remove our general cross-site access restrictions. However, there are lots of compelling use cases for relaxing those restrictions in some cases. (Current techniques for doing this often involve using JSON in ways that have cross-site script introduction vulnerabilities in the other direction, i.e., where the source of the data can attack the page using the data.) To do this, the client needs to be told to relax the restrictions that the security of lots of real world data currently depends on. So I really don't see how cross-site access control can be "server-side only". Is that what you're suggesting? -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/
Received on Wednesday, 9 January 2008 00:56:26 UTC