- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Thu, 15 May 2008 06:08:52 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
- Message-ID: <OF67D774F8.D21B4775-ON8825744A.004653C1-8825744A.00483961@us.ibm.com>
<jonas>
I don't understand at all what you are proposing. If we allow the client
to always POST cross domain the damage is already done and we have lost
already....JSONRequest always allows cross-site POSTs, I.e. it always
allows the
thing we are trying to prevent.
</jonas>
JSONRequest requires that a server make explicit changes in order to opt-in
to enabling cross-site requests (GET or POST). From the JSONRequest spec (
http://www.json.org/JSONRequest.html):
3. Reponses will be rejected unless they contain a JSONRequest content
type. This makes it impossible to use JSONRequest to obtain data from
insecure legacy servers.
XDR has a similar approach where the server must opt-in by checking for
XDomainRequest: 1 header in the request and returning
XDomainRequestAllowed: 1 in the response.
The assumption in both cases is that when a server developer learns that he
can opt-in to make his server support cross-site requests, he will also
learn that there are dangers with enabling this feature and will become
aware that there are well-known techniques for mitigating those dangers.
<jonas>
We can't make existing already deployed servers to start
dealing with this new spec.
</jonas>
I'm not sure what you are asking. Are you saying that we can't require
existing servers to make changes in order to support cross-site requests?
But AC also requires servers to make changes in order to support at least
some of its features.
Jon
Jonas Sicking
<jonas@sicking.cc
> To
Sent by: Jon Ferraiolo/Menlo Park/IBM@IBMUS
public-appformats cc
-request@w3.org "WAF WG (public)"
<public-appformats@w3.org>
Subject
05/14/08 05:20 PM Re: [AC] URI canonicalization
problem with
Access-Control-Policy-Path
Jon Ferraiolo wrote:
> Sorry for beating a dead horse, but IMO the policy manager (i.e., the
> software that decides whether to allow a request to go through, aka the
> PEP) shouldn't be on the client anyway. The client should just make
> cross-domain requests and the server should enforce which requests are
> allowed to go through. Instead of the server delegating to the client
> the responsibility for only allowing certain requests (e.g., only to
> /api/*), the server should itself take responsibility for permitting or
> denying requests.
I don't understand at all what you are proposing. If we allow the client
to always POST cross domain the damage is already done and we have lost
already. We can't make existing already deployed servers to start
dealing with this new spec.
Please elaborate in more detail.
> (JSONRequest in contrast has no client-side mechanisms
> for deciding which requests should be allowed or denied and assumes that
> any such logic would be on the server.)
JSONRequest always allows cross-site POSTs, I.e. it always allows the
thing we are trying to prevent.
/ Jonas
Attachments
- image/gif attachment: graycol.gif
- image/gif attachment: pic27331.gif
- image/gif attachment: ecblank.gif
Received on Thursday, 15 May 2008 13:11:22 UTC