Re: Impending web-arch issue? from Nathan on 2010-05-10 (www-tag@w3.org from May 2010)

From: Nathan <nathan@webr3.org>
Date: Mon, 10 May 2010 11:10:05 +0100
To: Anne van Kesteren <annevk@opera.com>
CC: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4BE7DB7D.8090901@webr3.org>

Anne van Kesteren wrote:
> On Mon, 10 May 2010 11:16:54 +0200, Nathan <nathan@webr3.org> wrote:
>> long-term though, surely it's quite an issue that a web application, 
>> running in a web browser, conforming to all the standards and the 
>> design principals of the web, can't use the web?
> 
> It's certainly annoying, but unless we start over I do not really see 
> how we can change the (arguably broken) security fundamentals of the 
> platform.

You can probably guess what I'm going to say..

There are 1,802,330,457 and counting internet users in the world, if you 
counted UA's it'd probably be much higher - at the minute 0 of them can 
use a client side web application, in a web browser, to access resources 
on the web, using web standards that are deployed and supported on 
(insert figure here) of them - probably 90%+.

At the minute there's a drive to put applications "in the cloud", and 
there's the put the data on the web drive, and afaict in the near future 
many will see that if the data is in the cloud, then the app can be 
stored on the web but run on the client.

Knowing me I'm being overly bold and out of place, but maybe it's better 
to start looking at the options and try and get something in place 
before the.. well you know.

> (What is being protected here are servers on an intranet that do not 
> require authentication and servers that use IP-based authentication. 
> Without the same-origin protection evil.example could get data from 
> intranet.corp.example if a user that is on an intranet with access to 
> intranet.corp.example visits evil.example (e.g. via a phishing attack).)

yup I remember the old myspace user hacks and related very well.

perhaps there are some options?
- user confirmation when one site attempts to access another?
- an inverted model where all xss is allowed by default unless denied by 
CORS?
- Application sandbox permissions, so a user can give a trusted 
app/script access to all web requests?
- others?

It stands to reason that all the limitations are imposed by UA's, so the 
UA's could provide the user with ways to set there own permissions and 
app/domain trust levels..?

Best,

Nathan

Received on Monday, 10 May 2010 10:11:18 UTC