- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 17 Dec 2009 17:38:09 +0000 (UTC)
- To: Kenton Varda <kenton@google.com>
- Cc: Maciej Stachowiak <mjs@apple.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, Jonathan Rees <jar@creativecommons.org>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Thu, 17 Dec 2009, Kenton Varda wrote: > > OK, I'm sure that this has been said before, because it is critical to > the capability argument: > > If Bob can access the data, and Bob can talk to Charlie *in any way at > all*, then it *is not possible* to prevent Bob from granting access to > Charlie, because Bob can always just serve as a proxy for Charlie's > requests. If confidentiality was the only problem, this would be true. However, it's not the only problem. One of the big reasons to restrict which origin can use a particular resource is bandwidth management. For example, resources.example.com might want to allow *.example.com to use its XBL files, but not allow anyone else to directly use the XBL files straight from resources.example.com. A proxy isn't a plausible attack in this scenario, because if someone can set up a proxy, they can with much more ease simply host the original file (which isn't a problem from the point of view of the original site). Furthermore, if someone _does_ host a proxy, then they are taking the same load hit as the original site, and therefore the risk to the original site is capped. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 17 December 2009 17:38:38 UTC