Re: <?access-control?> allows privelege escalation attacks with many embedding mechanisms

On Feb 19, 2006, at 6:32 PM, Ian Hickson wrote:

> On Sat, 18 Feb 2006, Maciej Stachowiak wrote:
>>
>> I thought about this some more, and it no longer makes sense to  
>> me. If
>> off-site XBL runs in the security context of the referencing  
>> document,
>> not the XBL document, then why would <?access-control?> be useful?
>
> You want to prevent people from being able to use off-site XBL files
> without those files being intended for that purpose because  
> otherwise you
> would be allowed to fetch any arbitrary XML on any site (including,  
> e.g.,
> authenticated extranet or intranet sites).

OK, makes sense for this use case. Thanks for the explanation. I did  
not think of the XBL file itself as potentially being the target of  
unauthorized data access.

Regards,
Maciej

Received on Monday, 20 February 2006 02:38:40 UTC