Hixie, David, All,
Here's an input for the XBL2 Use Case (C&P'ed from the XBL2 spec)
that David started at [AC-UC]:
[[
The <a href="http://www.w3.org/TR/xbl/";>XML Binding Language</a>
(XBL) is a mechanism for overriding the standard presentation and
interactive behavior of particular elements by attaching those
elements to appropriate definitions, called bindings. Bindings can be
attached to elements using either CSS, the DOM, or by declaring, in
XBL, that elements matching a specific selector are implemented by a
particular binding. The element that the binding is attached to,
called the bound element, acquires the new behavior and presentation
specified by the binding.
In this context, data theft is a security concern since a naïve
implementation of XBL would allow any document to bind to bindings
defined in any other document, and (since referencing a binding
allows full access to that binding document's DOM) thereby allow
access to any remote file, including those on intranet sites or on
authenticated extranet sites.
XBL itself does not do anything to prevent this. However, the XBL
specification strongly suggests that an access control mechanism
(such as that described in [ACCESSCONTROL]) be used to prevent such
cross-domain accesses unless the remote site has allowed accesses.
]]
Regards, Art Barstow
---
[AC-UC] <http://dev.w3.org/2006/waf/access-control/AccessControl-
Requirements-20080114.html>
