Thomas Roessler wrote:
Section 8.2.2 takes a bit of a shortcut around cross-site data
access and scripting:
| User agents should implement a security mechanism such as the
| proposed <?access-control?> PI to prevent unauthorized
| cross-domain access. [ACCESSCONTROL]
-- http://www.w3.org/TR/2007/CR-xbl-20070316/#scripting
The access-control processing-instruction (or, rather, the
specification around it) actually does not prevent unauthorized
cross-domain access, but rather expresses access authorizations that
extend beyond the current security model.
I agree the language is wrong, though the intent is right. It would be
better to say something like:
User agents should implement a security mechanism such as the
proposed <?access-control?> PI to allow cross-domain access to XBL
documents. [ACCESSCONTROL]
There's similarly misleading language in section 1.5:
| Data theft: A naïve implementation of XBL would allow any document
| to bind to bindings defined in any other document, and (since
| referencing a binding allows full access to that binding document's
| DOM) thereby allow access to any remote file, including those on
| intranet sites or on authenticated extranet sites.
|
| XBL itself does not do anything to prevent this. However, it is
| strongly suggested that an access control mechanism (such as that
| described in [ACCESSCONTROL]) be used to prevent such cross-domain
| accesses unless the remote site has allowed accesses.
-- http://www.w3.org/TR/2007/CR-xbl-20070316/#security
Similarly here, the wording can be improved:
XBL itself does not do anything to prevent this. However, it is
strongly suggested that same-origin policies be used to prevent such
cross-domain accesses together with access control mechanisms (such as
that described in [ACCESSCONTROL]) to allow cross-domain access when the
remote site has allowed access.
/ Jonas
