- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 21 Dec 2009 14:54:10 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps <public-webapps@w3.org>
On Mon, Dec 21, 2009 at 2:39 PM, Ian Hickson <ian@hixie.ch> wrote: > On Mon, 21 Dec 2009, Tyler Close wrote: >> >> No, there is a difference in access-control between the two designs. >> >> In the two header design: >> 1) An XHR GET of the XBL file data by example.org *is* allowed. >> 2) An <xbl> import of the XBL data by example.org triggers a rendering error. > > That's a bad design. It would make people think they had secured the file > when they had not. The headers explicitly say that a read request from any Origin is allowed: Access-Control-Allow-Origin: * The above syntax is the one CORS came up with. How could it be made clearer? > Security should be consistent across everything. It is. All Origins have read access. The data just renders in a different way depending on if/how it is embedded. >> In the one header design: >> 1) An XHR GET of the XBL file data by example.org is *not* allowed. >> 2) An <xbl> import of the XBL data by example.org triggers a rendering error. > > That's what I want. What you want, and the mechanism you propose to get it, are at odds. I've described the CSRF-like attack multiple times. The access control model you propose doesn't actually work. To actually control access to the XBL file data you need to use something like the secret token designs we've discussed. >> Under the two header design, everyone has read access to the raw bits >> of the XBL file. > > That's a bad thing. In the scenario you described, everyone *does* have read access to the raw bits. Anyone can just direct their browser to example.org and save the data. In your scenario, we were just trying to discourage bandwidth stealing. >> The one header design makes an empty promise to protect read access to >> the XBL file. > > How is it an empty promise? See above. We don't seem to be making any progress at understanding each other, so I'm going to give up on this thread until I see some signs of progress. Thanks for your time. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 21 December 2009 22:54:42 UTC