- From: Sean Hogan <shogun70@westnet.com.au>
- Date: Wed, 11 Feb 2009 15:42:02 +1100
- To: Anne van Kesteren <annevk@opera.com>
- CC: WebApps WG <public-webapps@w3.org>, Maciej Stachowiak <mjs@apple.com>
Anne van Kesteren wrote: > On Tue, 10 Feb 2009 13:00:35 +0100, Sean Hogan > <shogun70@westnet.com.au> wrote: >> I don't think the presented XBL use case is valid: >> >> "An XBL binding allows full access to the document it is bound to and >> therefore cross-origin XBL usage is prohibited. The resource sharing >> policy enables cross-origin XBL bindings. If the user is >> authenticated with the server that hosts the XBL widget it is >> possible to have a user-specific cross-origin bindings." >> >> I'm not sure whether "an XBL binding allows full access to the >> document it is bound to" is talking about accessing the DOM of the >> bound-document or the binding-document, but I don't think either case >> requires access-control. >> >> I don't see where the XBL spec says that the bound-document must have >> access to the binding-document, so I don't understand why >> cross-origin restrictions would apply. >> >> And I don't understand why we should prohibit the XBL binding having >> access to the bound-document. That's the whole point of XBL, and we >> already have the same situation with <script src>. If you don't trust >> the XBL bindings then don't reference them, just like with scripts. > > That example is based on > > http://www.w3.org/TR/2007/CR-xbl-20070316/#security > > and maybe some discussion with Ian regarding this. It's been a while. > > Does that help? > > Ok, I can see that the use case is consistent with what is in the XBL spec. I prefer the following wording: A XBL binding allows the document to which it is bound to have full access to the document in which it is defined; therefore cross-origin XBL usage is prohibited. I disagree with the security context of a XBL document being the bound document, but that isn't relevant to this thread.
Received on Wednesday, 11 February 2009 04:43:56 UTC