Re: CDR: description of current web security model has problems from Bjoern Hoehrmann on 2006-02-06 (public-cdf@w3.org from February 2006)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 06 Feb 2006 17:45:54 +0100
To: "Charles McCathieNevile" <chaals@opera.com>
Cc: public-cdf@w3.org
Message-ID: <huseu1hhcbolj6kje2h87ru2r402of67hl@hive.bjoern.hoehrmann.de>

* Charles McCathieNevile wrote:
>The spec does not propose a security model, it points out that there are  
>potential security risks invovled in granting access to a DOM from a  
>different document (see your own message at @@). It notes in passing that  
>one common approach (cross-domain restriction) while "good enough for many  
>current uses" is neither a particularly brilliant nor a brilliantly secure  
>approach for the Web at large, and so explicitly avoids mandating this  
>approach.

I'd appreciate some clarification here. Let's assume a user agent that
implements only the absolute requirements of the CDF specifications, and
a document http://example.org/foo.xhtml with

  <object data="http://org.example/bar.svg" ...>

Let's further assume that both documents use cookie-based authentication
and the user is logged into both sites when visiting the XHTML document;
both documents expose the user name in the DOM tree like "Hello Björn";
do I understand correctly that

  * bar.svg can read the example.org user name
  * foo.xhtml can read the org.example user name
  * bar.svg can synthesize events and bubble them into foo.xhtml

and further

  * this would be the default behavior
  * there is no way for bar.svg to opt out of it
  * there is no way for foo.xhtml to opt out of it

If this is correct it seems example.org and org.example can only protect
their users by hoping that browser vendors won't allow this to work by
default and take further steps to reduce the risk, e.g. by embedding
only fully trusted SVG content.

If I understand the model correctly, could you elaborate on why this
model is preferable to e.g. a model where implementations must not by
default grant access from either resource to the other and provide means
that allow them to opt in to a less restricted model?

I note that e.g. in the context of VoiceXML the latter model has been
chosen, see e.g. <http://www.w3.org/TR/access-control/>. At the moment
I would rather that this document is put on the Recommendation track
with changes as proposed by Ian Hickson and others, like extending it
to be also usable from HTTP headers, support for IDNs, etc.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Monday, 6 February 2006 16:45:04 UTC