- From: T. V. Raman <tvraman@us.ibm.com>
- Date: Wed, 25 Aug 2004 11:14:07 -0700
- To: bobbateman@sequoiallc.com
- Cc: www-forms@w3.org
I think Aaron might be confusing cross-site scripting attacks
with cross-site Web Service invocations.
The former --- as evinced by all of today's heavily scripted Web
is a dangerous hole, and one should certainly not allow for code
that comes from one site to execute within another --- leave
alone code across sites executing in the same page.
The world of Web Services is *different* from cross-site
scripting; The whole point is that a Web Service allows a
provider to expose a specific piece of information in a form
that is independent of browser-specific HTML; no presentation, no
scripts please--
and the "last mile of web services" -- which is what ForsPlayer
with Web Services demonstrates today --- i.e. integrating data
from different Web Services into a consistent whole---
is still achieved with no cross-site scripting.
So let's keep our threads untangled:
Cross-site scripting: BAD
Cross-Site Web Services Integration: GOOD
>>>>> "Robert" == Robert Bateman <bobbateman@sequoiallc.com> writes:
Robert> Aaron,
Robert>
Robert> On Tuesday 24 August 2004 04:49 pm, Aaron Reed wrote:
>> I also have a question about XForms security. For
>> example, the formsPlayer example at:
>> http://www.formsplayer.com/community/samples/google-search.html.
>>
>> Running this example in a browser should raise eyebrows.
>> Submitting SOAP to domains DIFFERENT from the one where
>> the page was downloaded and REPLACING content in the
>> current page so that the user doesn't have any kind of cue
>> that something just happened seems like the kind of power
>> for a form that we don't want to encourage (in a browser
>> context, at least). Is
Robert>
Robert> I can't disagree with you more here...
Robert>
Robert> Why should the user care that a SOAP message was sent
Robert> to a domain and the results displayed on the screen?
Robert> If you are concerned about sending a SOAP message to
Robert> a secure site, there are WS-xxxx standards that are
Robert> developed / being developed that address security.
Robert>
Robert> But getting back to the original Xforms example, lets
Robert> change the example a little bit. Lets say I have
Robert> created a nifty portal for all users of the
Robert> Blackberry(tm). Thru my portal, my subscribers can
Robert> book flights, hotels, cars, check traffic, get
Robert> directions, weather updates, and more.
Robert>
Robert> Is it smarter for me to send a SOAP message to a
Robert> hotel to make or alter a reservation or to open a
Robert> window? Too many of todays browser exploits exist
Robert> because the browser executes arbitrary code. In the
Robert> case of SOAP, there is no code to execute at the
Robert> client. The results of the SOAP message are data
Robert> that is acted upon or rendered.
Robert>
Robert> And for those cases where I have to worry about
Robert> security or authentication, the community is working
Robert> on those very issues. But I suspect that you and I
Robert> will not have to worry about those things in most of
Robert> the work we will see in the near future.
Robert>
Robert>
Robert> Of course, these are just my opinion.
Robert>
Robert> Bob
Robert>
--
Best Regards,
--raman
------------------------------------------------------------
T. V. Raman: PhD (Cornell University)
IBM Research: Human Language Technologies
Architect: Conversational And Multimodal WWW Standards
Phone: 1 (408) 927 2608 T-Line 457-2608
Fax: 1 (408) 927 3012 Cell: 1 650 799 5724
Email: tvraman@us.ibm.com
WWW: http://almaden.ibm.com/u/tvraman
AIM: TVRaman
GPG: http://www.almaden.ibm.com/cs/people/tvraman/raman-almaden.asc
Snail: IBM Almaden Research Center,
650 Harry Road
San Jose 95120
Received on Wednesday, 25 August 2004 18:14:56 UTC