Re: Comments on: Access Control for Cross-site Requests from Mary Ellen Zurko on 2007-12-05 (public-wsc-wg@w3.org from December 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 5 Dec 2007 14:39:03 -0500
To: tyler.close@hp.com
Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Message-ID: <OFA682F7E3.0BC16EE7-ON852573A8.006BD473-852573A8.006BF1D2@LocalDomain>

Thanks Tyler. When you're ready you (and Bill, and Hal) should send your 
(their) comments directly to them at public-appformats@w3.org.

          Mez





From:
"Close, Tyler J." <tyler.close@hp.com>
To:
"public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
Date:
12/05/2007 02:04 PM
Subject:
Comments on: Access Control for Cross-site Requests




I've got one major comment on this proposal that I think is sufficient to 
send it back to the drawing board. I'll delay making more detailed 
comments about the proposal until I find out the answer to the major 
comment.

A significant portion of the proposal is devoted to specifying a policy 
language for determining whether or not a page from a particular "root 
URI" should be allowed to issue a cross-domain request to a particular 
server. I think the problem can be solved without the server and the 
client software agreeing on such a policy language. For example, rather 
than have the server specify the rules for cross-domain requests and have 
the client enforce these rules, the client should simply send the request 
information to the server and have the server enforce its own rules. I see 
no advantage to placing this logic in the client, as opposed to the 
server. Placing the logic in the client introduces significant complexity 
which creates many opportunities for implementation bugs, specification 
ambiguity and misunderstanding by web application developers, while 
possibly limiting the kinds of policies a server can enforce.

There is also a significant factual error in the document's Introduction:

"""
However, it is not possible to exchange the contents of resources or 
manipulate resources "cross-domain".
"""

It *is* possible to manipulate resources "cross-domain". An HTML page can 
contain a FORM which submits an HTTP request "cross-domain". Submission of 
this request can be automated using Javascript. The Same Origin Policy 
only prevents the HTML page from accessing the response to the issued 
request. Manipulation is allowed. Only responses are protected, not 
requests.

--Tyler

--
[1] "Access Control for Cross-site Requests"
    <http://www.w3.org/TR/access-control/>

Received on Wednesday, 5 December 2007 19:39:21 UTC