Re: XPath/XQuery and all that - ACTION-3 from Mary Ellen Zurko on 2006-11-16 (public-wsc-wg@w3.org from November 2006)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 16 Nov 2006 18:23:56 -0500
To: "Stephen Farrell <stephen.farrell" <stephen.farrell@cs.tcd.ie>
Cc: public-wsc-wg@w3.org
Message-ID: <OF849A6FC9.8332756F-ON85257228.00802B6F-85257228.00808929@LocalDomain>

> Right. So the possibly-just-about-relevant concern here would
> be that WSC does such a fine job on the lower-hanging fruit
> that bad actors move to (ab-)using these less well known
> "advanced" XML technologies. (I have a general concern that
> many of these XML technologies are being developed with no or
> few accompanying security considerations, but that's not a WSC
> thing.)

It doesn't sound like it's in charter, unless it can be used to subvert 
the robustness of mechanisms that present sec ctx info to the end user. As 
future looking examples, if we recommending blocking visual or chrome 
areas, then XPath could only be a concern if it could overwrite those. Of 
if there were "shared secrets" in memory, XPath would only be a concern if 
they leaked those secrets to someone who shouldn't share them. 

        Mez

Received on Thursday, 16 November 2006 23:24:20 UTC