Doyle, Bill wrote:
1. The cross-site scripting protocol must include strong
cryptographic mechanisms to ensure that the server can restrict use of
the capabilities to authenticated and authorized clients.
The third party site can require that all communication between the
third party server and the browser is done using https by simply denying
all access requests done through any other means.
The third party site can also require that all communication between the
browser and the requesting site is done over https by only white-listing
https servers.
Does this satisfy the request?
Additionally, it is possible to extend this further in the future by
adding additional attributes to require even stronger protection. This
is done in a forwards compatible manner by saying that a current
implementation that sees any unrecognized attributes must deny access.
2. The protocol must provide the ability for a server to support
fine grained access control. e.g. a server should be able to limit write
access to a specific client noted in item 1.
Any type of access, including write access can be limited according to
the rules described above.
3. Protocol must be able to restrict inheritance of a clients
access control rights by other clients.
I don't quite understand this question.
4. Resources must be protected until access is granted; the
security consideration that resources are not revealed is not strong enough.
The only requests that can be made without explicit authorization are
GET requests. These requests are already possible today. The site should
be protected from any other requests until it grants access.
Best Regards,
Jonas Sicking
