- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Wed, 16 Jan 2008 09:05:53 -0500
- To: Ian Hickson <ian@hixie.ch>, David Orchard <dorchard@bea.com>, public-appformats@w3.org
Hixie, David, All, Here's an input for the XBL2 Use Case (C&P'ed from the XBL2 spec) that David started at [AC-UC]: [[ The <a href="http://www.w3.org/TR/xbl/">XML Binding Language</a> (XBL) is a mechanism for overriding the standard presentation and interactive behavior of particular elements by attaching those elements to appropriate definitions, called bindings. Bindings can be attached to elements using either CSS, the DOM, or by declaring, in XBL, that elements matching a specific selector are implemented by a particular binding. The element that the binding is attached to, called the bound element, acquires the new behavior and presentation specified by the binding. In this context, data theft is a security concern since a naïve implementation of XBL would allow any document to bind to bindings defined in any other document, and (since referencing a binding allows full access to that binding document's DOM) thereby allow access to any remote file, including those on intranet sites or on authenticated extranet sites. XBL itself does not do anything to prevent this. However, the XBL specification strongly suggests that an access control mechanism (such as that described in [ACCESSCONTROL]) be used to prevent such cross-domain accesses unless the remote site has allowed accesses. ]] Regards, Art Barstow --- [AC-UC] <http://dev.w3.org/2006/waf/access-control/AccessControl- Requirements-20080114.html>
Received on Wednesday, 16 January 2008 14:06:47 UTC