W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

[ac] XBL Use Case input

From: Arthur Barstow <art.barstow@nokia.com>
Date: Wed, 16 Jan 2008 09:05:53 -0500
Message-Id: <2843C72F-A614-4EB2-BDA2-443ECB60B77C@nokia.com>
To: Ian Hickson <ian@hixie.ch>, David Orchard <dorchard@bea.com>, public-appformats@w3.org

Hixie, David, All,

Here's an input for the XBL2 Use Case (C&P'ed from the XBL2 spec)  
that David started at [AC-UC]:

The <a href="http://www.w3.org/TR/xbl/">XML Binding Language</a>  
(XBL) is a mechanism for overriding the standard presentation and  
interactive behavior of particular elements by attaching those  
elements to appropriate definitions, called bindings. Bindings can be  
attached to elements using either CSS, the DOM, or by declaring, in  
XBL, that elements matching a specific selector are implemented by a  
particular binding. The element that the binding is attached to,  
called the bound element, acquires the new behavior and presentation  
specified by the binding.

In this context, data theft is a security concern since a na´ve  
implementation of XBL would allow any document to bind to bindings  
defined in any other document, and (since referencing a binding  
allows full access to that binding document's DOM) thereby allow  
access to any remote file, including those on intranet sites or on  
authenticated extranet sites.

XBL itself does not do anything to prevent this. However, the XBL  
specification strongly suggests that an access control mechanism  
(such as that described in [ACCESSCONTROL]) be used to prevent such  
cross-domain accesses unless the remote site has allowed accesses.

Regards, Art Barstow

[AC-UC] <http://dev.w3.org/2006/waf/access-control/AccessControl- 
Received on Wednesday, 16 January 2008 14:06:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC