[whatwg] Re: Cross Domain Policies

On Sun, 25 Jul 2004 22:48:38 +0100, Malcolm Rowe
<malcolm-what at farside.org.uk> wrote:
> Note that Doron started out by saying "Back at Netscape". Far from being
> recent, that document was written in April 2003. It also looks like it's
> been implemented in the Mozilla SOAP code since about then - see bugzilla
> bugs 183824 and 203371.

I think that shows how much they've failed to get the point across
that they've changed the normal expected behaviour of scripting in
Mozilla so that it's no longer true that cross-domain scripting is
blocked.

> Finally, note that signed scripts with sufficient privileges (and 'trusted'
> unsigned scripts?) bypass this restriction entirely.

Of course, no problem with this, this is the "normal" expected
security model, it's the new security model I have serious concerns
with.

> Correct, from what I've seen. But if your bank allows damage to be done
> using untrusted (and almost certainly unauthenticated) SOAP calls, you've
> got more to worry about.

I'm sure there's plenty of scenarios where web-services are purely
controlled by IP address authentication, there are some on the
corporate LAN I spend all too many days on.

> Bear in mind that the *only* reason that this
> mechanism exists is to prevent untrusted scripts from probing random SOAP
> services (and other non-SOAP HTTP services, too, as it happens),

No, the reason it's there is to allow SOAP calls to other domains
without needing raised security priviliges, it's introducing laxxer
security (normally no scripts can make cross-domain requests that get
data).  Please don't pretend it's there to tighten security.

> As it says in the document: "The proposed declaration file places the server
> operator, not the client in control of access to his server by untrusted
> scripts".

Yep, that's a BAD thing!  It's not something to applaud, and it's
certainly not something to sneak into a . release of a major UA.

Jim.

Received on Sunday, 25 July 2004 15:12:45 UTC