Cross-Site Requests, Users, UI (and What We're Trying to Fix) from Arun Ranganathan on 2008-07-03 (public-webapps@w3.org from July to September 2008)

From: Arun Ranganathan <arun@mozilla.com>
Date: Thu, 03 Jul 2008 12:49:51 -0700
To: public-webapps@w3.org, sunavad@windows.microsoft.com, zhenbin.xu@microsoft.com
Message-ID: <486D2D5F.9080808@mozilla.com>

All,

At the recent F2F discussions in Redmond covering XMLHttpRequest (Level 
2) and Access Control, the question of user involvement came up more 
than once.  This discussion raised issues about whether or not the user 
should be informed by a user interface mechanism in the browser that a 
cross-site request was taking place.  In general, discussion about 
*notifying the user* is part of a larger discussion about enabling sites 
to exchange *user-private data* via browser-based APIs such as 
postMessage and XMLHttpRequest with Access Control.

Within Mozilla, we had several discussions about private data exchanges 
and the pros and cons of a user notification mechanism.   Opinions 
within Mozilla vary.  Often, given the nature of our open community and 
open participation model, we have to agree to disagree.  Some hold the 
opinion that obtaining private data through a cross-site transaction, 
even with a mitigation mechanism such as Access Control, creates 
security or privacy scenarios that are unfavorable to end users.  These 
same parties hold that at the very least, the user should have a user 
interface mechanism to stop the transaction.  Others, including myself, 
hold the opinion that it is better to fundamentally *improve* existing 
cross-site access mechanisms, which certainly do not inform the user 
today [1], and to encourage developers to use safer APIs to build 
applications that engage in cross-site transactions.  Moreover, it is 
desirable to introduce a mechanism that allows for "stricter" script 
inclusion, including inline scripts and maintaining lists of domains 
that are safe to script scr="" from [2].

The way forward might be to:

1. introduce new mechanisms to do what developers do already[1], but 
allow them to be done safer, and to
2. "clean up" unsafe legacy mechanisms[2] as best as possible. 

While user interface mechanisms may help to generally inform the user 
and customize their web experience (e.g. stopping third party Cookies, 
etc.), "STOP | CONTINUE" type messages affiliated with APIs such as 
XMLHttpRequest (with AC) may be misleading in this context, since sites 
that wish to exchange data can use any number of mechanisms[1] on the 
web today and not inform the user.  Of course, it is generally good 
behavior for sites that store user-private data to have privacy policies 
and inform the user about any sharing with other sites.

-- A*
[1] A (Not Exhaustive) Listing of Cross Site Mechanisms: 
http://www.arunranga.com/articles/browser-cross-site.html
[2] Straw Person Proposal for Site Security Policy: 
http://people.mozilla.com/~bsterne/site-security-policy/

Received on Thursday, 3 July 2008 19:50:33 UTC