- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 14 Apr 2008 19:03:29 -0700
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- CC: Thomas Roessler <tlr@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, Laurens Holst <lholst@students.cs.uu.nl>, Marc Silbey <marcsil@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Nikhil Kothari <nikhilko@microsoft.com>, "public-appformats@w3.org" <public-appformats@w3.org>, "Web API WG (public)" <public-webapi@w3.org>, public-webapi-request@w3.org, Sharath Udupa <Sharath.Udupa@microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, "Close, Tyler J." <tyler.close@hp.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>
Jon Ferraiolo wrote: > Thomas Roessler <tlr@w3.org> wrote on 04/14/2008 08:21:50 AM: > > > On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote: > > > > > On the architecture side, Access Control is just plain wrong, > > > with the PEP on the client instead of the server, which requires > > > data to be sent along the pipe to the client, where the client is > > > trusted to discard the data if the user isn't allowed to see the > > > data; it is just plain architecturally wrong to transmit data > > > that is not meant to be seen. > > > > This seems to confuse the attacker model a bit. It's not about the > > user not being permitted to see the data, it's about a web > > application from a different origin not being allowed to manipulate > > the data, even though the user is allowed to see the data. > > The comment in question wasn't about CSRF or other data-setting attacks > on a server, but instead about how it is architecturally wrong to send > data that ultimately will be thrown out when it reaches the client. If I > was outside of the standards world and wrote some code that did this, I > would be embarrassed to show such an implementation during a code > walkthrough. The policy check should be done before the data is transmitted. XDR seems to force much more data to be transmitted only to be thrown away. In the case of site A loading data from site B the whole resource is first transferred from site B to the client. Only then does the client make the decision to throw that data away if site B hasn't allowed cross-site access to the data. This does not only force the whole resource to be transferred only to be thrown away, it also forces the PEP to be the client as the server is given absolutely no information about who site A is. / Jonas
Received on Tuesday, 15 April 2008 02:06:06 UTC