Re: CDR: description of current web security model has problems from Charles McCathieNevile on 2006-02-06 (public-cdf@w3.org from February 2006)

From: Charles McCathieNevile <chaals@opera.com>
Date: Tue, 07 Feb 2006 00:30:02 +1200
To: public-cdf@w3.org, "Maciej Stachowiak" <mjs@apple.com>
Message-ID: <op.s4jzscd4wxe0ny@widsith.local>

Maciej, you wrote:

> 2.5.3
> "Currently, the common approach used is to restrict access across  
> documents or network interfaces to material which comes from the same  
> source as the code which tries to make that access."
>
> - This sentence is not grammatically correct English.

It is grammatically correct english. It is not very clear, so we will  
re-write it. We hope it will be clearer.

> - The claim made by the sentence is not correct. Access is based on the  
> domain (and protocol and port) of the documents in the context of which  
> the code is executing. It ignores where the code comes from, if the  
> document happened to include code, such as JavaScript, from a site other  
> than that which the document came from.

This is correct, in detail. Broadly speaking, the practical upshot is  
similar to the existing brief description.

> "This makes it difficult to re-use resources on the Web, by requiring a  
> copy to be held in the domain of each application which uses that
> resource."
>
> - I don't see how this is true. JavaScript files, CSS files, images and  
> html files can all be included from other sites. The difficulty only  
> occurs when you wish to read the contents of such documents. There is no  
> client-side technology that two sites could use to collaborate.

Cross-document messaging, or simple DOM calls across a document object are  
not restricted by spec to the same site.

> "This breaks cacheability, potentially reduces maintainability, and  
> requires services to maintain the entire service rather than taking full  
> advantage of specialised third-party providers."
>
> - I'm not buying these claims but ok - does this spec propose doing  
> anything different in this regard? Does it propose that access to  
> different documents *not* be restricted based on domain/scheme/port as  
> traditionally?

The spec does not propose a security model, it points out that there are  
potential security risks invovled in granting access to a DOM from a  
different document (see your own message at @@). It notes in passing that  
one common approach (cross-domain restriction) while "good enough for many  
current uses" is neither a particularly brilliant nor a brilliantly secure  
approach for the Web at large, and so explicitly avoids mandating this  
approach.

I hope this satisfies your concern. If not please let us know within two  
weeks.

For the working group, cheers

Chaals

-- 
Charles McCathieNevile                     chaals@opera.com
   hablo español  -  je parle français  -  jeg lærer norsk
      Peek into the kitchen: http://snapshot.opera.com/

Received on Monday, 6 February 2006 13:30:31 UTC