Re: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests] from Jon Ferraiolo on 2008-04-14 (public-webapi@w3.org from April 2008)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Mon, 14 Apr 2008 08:42:21 -0700
To: Thomas Roessler <tlr@w3.org>
Cc: Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, Jonas Sicking <jonas@sicking.cc>, Laurens Holst <lholst@students.cs.uu.nl>, Marc Silbey <marcsil@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Nikhil Kothari <nikhilko@microsoft.com>, "public-appformats@w3.org" <public-appformats@w3.org>, "Web API WG (public)" <public-webapi@w3.org>, public-webapi-request@w3.org, Sharath Udupa <Sharath.Udupa@microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, "Close, Tyler J." <tyler.close@hp.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>
Message-ID: <OFCEF1B13A.D1DC44C1-ON8825742B.0055DE42-8825742B.0056466E@us.ibm.com>

Thomas Roessler <tlr@w3.org> wrote on 04/14/2008 08:21:50 AM:

> On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote:
>
> > On the architecture side, Access Control is just plain wrong,
> > with the PEP on the client instead of the server, which requires
> > data to be sent along the pipe to the client, where the client is
> > trusted to discard the data if the user isn't allowed to see the
> > data; it is just plain architecturally wrong to transmit data
> > that is not meant to be seen.
>
> This seems to confuse the attacker model a bit.  It's not about the
> user not being permitted to see the data, it's about a web
> application from a different origin not being allowed to manipulate
> the data, even though the user is allowed to see the data.

The comment in question wasn't about CSRF or other data-setting attacks on
a server, but instead about how it is architecturally wrong to send data
that ultimately will be thrown out when it reaches the client. If I was
outside of the standards world and wrote some code that did this, I would
be embarrassed to show such an implementation during a code walkthrough.
The policy check should be done before the data is transmitted.

Jon

Received on Monday, 14 April 2008 15:45:42 UTC