Re: Feedback on Access Control from Mark Nottingham on 2008-01-23 (public-appformats@w3.org from January 2008)

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Wed, 23 Jan 2008 11:45:26 +1100
To: Anne van Kesteren <annevk@opera.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-Id: <935E34EA-DE2A-409C-B32B-B507F591BFE2@yahoo-inc.com>

On 23/01/2008, at 9:50 AM, Anne van Kesteren wrote:

> On Tue, 22 Jan 2008 23:14:26 +0100, Mark Nottingham <mnot@yahoo-inc.com 
> > wrote:
>> On 22/01/2008, at 8:59 PM, Anne van Kesteren wrote:
>>> On Tue, 22 Jan 2008 04:56:52 +0100, Mark Nottingham <mnot@yahoo-inc.com
>>>> [...] Separate from the server-side vs. client-side policy  
>>>> enforcement issue (which I'm not bringing up here explicitly,  
>>>> since it's an open issue AFAICT, although the WG doesn't link to  
>>>> its issues list from its home page), the Working Group needs to  
>>>> motivate the decision to have access control policy only apply on  
>>>> a per-resource basis, rather than per resource tree, or site-wide.
>>>
>>> It's not an open issue.
>>
>> Let's have one, then. The W3C has already solved the problem of  
>> site-wide metadata once, and there should be *some* reason for  
>> taking a different path this time.
>
> Actually, we have an open issue on this one and it's proposed for  
> closing as we have per resource policy requirement.

Perhaps it would be good to get consensus on requirements first...

At any rate, take a look at P3P, which does allow per-resource policy.


>>>> Overall, this approach doesn't seem well-integrated into the Web,  
>>>> or even friendly to it; it's more of a hack, which is puzzling,  
>>>> since it requires clients to change anyway.
>>>
>>> I don't really understand this. Changing clients is cheap compared  
>>> to changing all the servers out there.
>>
>> Spoken like a true browser vendor. The thing is, it's not necessary  
>> to change all of the servers; anyone who's sufficiently motivated  
>> to publish cross-site data can get their server updated, modified,  
>> or move to a new one easily. OTOH they have *no* power to update  
>> their users' browsers (unless they're in an especially iron-fisted  
>> enterprise IT environment, and even then...).
>
> We need updates of browsers anyway. Otherwise cross-site  
> XMLHttpRequest will not work. Also, I still don't understand your  
> comment correctly.

I'm not sure what I can do to make it clearer.


>>> Multi-user hosts already need filtering. Otherwise they could  
>>> simply load a page from the same domain with a different path in  
>>> an <iframe> or something and do the request from there. The  
>>> security model of the Web is based around domains. How unfortunate  
>>> or fortunate that may be.
>>
>> Yes; it's still worth pointing this out for the uninitiated.
>
> Can you propose some text?

In Security Considerations;

Because the granularity of access control is only per referring site,  
authors sharing content with domains that host content for more than  
one user (e.g., sites with user accounts, picture hosting sites,  
"social networking" sites) should be aware that it is not possible to  
selectively share content; if requests are allowed from a host, they  
are allowed for all resources on that host.


--
Mark Nottingham       mnot@yahoo-inc.com

Received on Wednesday, 23 January 2008 00:46:11 UTC