Hi Jon,
Jon Ferraiolo wrote:
> * The Access Control mechanism MUST not broaden the attack
> surface for hackers, particularly with regard to CSRF
Could you elaborate a bit on this contraint? For example, one interpretation
might be that the currently proposed mechanism violates this constraint since
any cookies or HTTP Auth credentials the user may have are included in the
request sent to the server (the opposite of what's done in the JSONRequest
proposal). In essense, the current proposal is one for determining the set of
hosts that are allowed to issue CSRF requests, which is a broadening of the
CSRF attack surface.
On a related note, I'm uncomfortable with the use of the term access-control in
this specification and discussion, since the discussed mechanism doesn't
actually control access. For example, it is not a replacement for whatever
mechanism a server is currently using to determine whether or not to process a
received request. You can't add an XML PI to your document and say: "Good, that
takes care of access-control!" The current naming of elements, headers and
discussion terminology might lead one to believe so.
--Tyler
--
[1] "Access Control for Cross-site Requests"
<http://www.w3.org/TR/access-control/>
