Re: Review of

On Tuesday 2008-01-08 16:30 -0800, David Orchard wrote:
> Substantive
> ----------------
> PEP in the client
> I'm concerned about the decision to have the client be a PEP, and the
> commensurate need to create a new policy language.  The Security Context
> Working Group member Tyler's comments [2] and the extended discussion
> have not convinced me that his proposed simplification, or some other
> similar proposal, is not worth pursuing.  I support continued
> examination of a server-side only PEP. I believe this is issue #20 afore
> the WG. 

I don't know what a "PEP" is, so I'm not exactly sure what you're
saying, but given the existence of many sites that use cookies,
being behind firewalls, or a combination of both to protect data,
the role of the client in preventing cross-site access isn't going
away anytime soon.  There's no way we can remove our general
cross-site access restrictions.

However, there are lots of compelling use cases for relaxing those
restrictions in some cases.  (Current techniques for doing this
often involve using JSON in ways that have cross-site script
introduction vulnerabilities in the other direction, i.e., where the
source of the data can attack the page using the data.)  To do this,
the client needs to be told to relax the restrictions that the
security of lots of real world data currently depends on.

So I really don't see how cross-site access control can be
"server-side only".  Is that what you're suggesting?


L. David Baron                       
Mozilla Corporation             

Received on Wednesday, 9 January 2008 00:56:26 UTC