- From: Zhenbin Xu <Zhenbin.Xu@microsoft.com>
- Date: Wed, 25 Jun 2008 18:53:55 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Sunava Dutta <sunavad@windows.microsoft.com>, Arthur Barstow <art.barstow@nokia.com>, Marc Silbey <marcsil@windows.microsoft.com>, public-webapps <public-webapps@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, "Mark Shlimovich (SWI)" <marksh@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Michael Champion <Michael.Champion@microsoft.com>
> -----Original Message----- > From: Jonas Sicking [mailto:jonas@sicking.cc] > > What do you mean by "additional" here? In addition to what? > [Zhenbin Xu] It is a defense in depth measure to protect legacy servers. > I think some people are as concerned about their personal photo album > as > they are about their bank account, so i'm not sure there is a big > difference between the two. But I do agree that some parts of personal > data is likely to have different security requirements than other > parts. > > I don't know how the banking people will feel about CS-XHR. It should > be > as safe as any other HTTP/HTTPS transaction and banks seem happy to > send > banking data using those protocols. > [Zhenbin Xu] I suspect banks would ever be comfortable to allow request coming from third-party domains and rely on client side enforcement of the x-domain policy sending down from server. Merely exposing the policy to client is already dangerous information disclosure in that kind of situation. And if banks will not be using it, trying to create a solution for them is not a good proposition. But again I don't know fully what CS-XHR is intended for so a set of scenarios would help here. Targeting public data only allows XDR to solve a big problem yet remain secure. We can easily come up many useful Mashup scenarios by simply aggregating x-domain public data on the web today.
Received on Thursday, 26 June 2008 01:55:20 UTC