RE: Need PDF of MS' input [Was Re: Seeking earlier feedback from MS]

> -----Original Message-----
> From: Jonas Sicking [mailto:jonas@sicking.cc]
>
> What do you mean by "additional" here? In addition to what?
>

[Zhenbin Xu] It is a defense in depth measure to protect legacy servers.


> I think some people are as concerned about their personal photo album
> as
> they are about their bank account, so i'm not sure there is a big
> difference between the two. But I do agree that some parts of personal
> data is likely to have different security requirements than other
> parts.
>
> I don't know how the banking people will feel about CS-XHR. It should
> be
> as safe as any other HTTP/HTTPS transaction and banks seem happy to
> send
> banking data using those protocols.
>

[Zhenbin Xu] I suspect banks would ever be comfortable to allow request
coming from third-party domains and rely on client side enforcement of
the x-domain policy sending down from server. Merely exposing the policy
to client is already dangerous information disclosure in that kind of
situation. And if banks will not be using it, trying to create a solution
for them is not a good proposition.

But again I don't know fully what CS-XHR is intended for so a set of scenarios
would help here.

Targeting public data only allows XDR to solve a big problem yet remain secure.
We can easily come up many useful Mashup scenarios by simply aggregating x-domain
public data on the web today.

Received on Thursday, 26 June 2008 01:55:20 UTC