Jon Ferraiolo wrote:
Thomas Roessler <[EMAIL PROTECTED]> wrote on 04/14/2008 08:21:50 AM:
> On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote:
>
> > On the architecture side, Access Control is just plain wrong,
> > with the PEP on the client instead of the server, which requires
> > data to be sent along the pipe to the client, where the client is
> > trusted to discard the data if the user isn't allowed to see the
> > data; it is just plain architecturally wrong to transmit data
> > that is not meant to be seen.
>
> This seems to confuse the attacker model a bit. It's not about the
> user not being permitted to see the data, it's about a web
> application from a different origin not being allowed to manipulate
> the data, even though the user is allowed to see the data.
The comment in question wasn't about CSRF or other data-setting attacks
on a server, but instead about how it is architecturally wrong to send
data that ultimately will be thrown out when it reaches the client. If I
was outside of the standards world and wrote some code that did this, I
would be embarrassed to show such an implementation during a code
walkthrough. The policy check should be done before the data is transmitted.
XDR seems to force much more data to be transmitted only to be thrown
away. In the case of site A loading data from site B the whole resource
is first transferred from site B to the client. Only then does the
client make the decision to throw that data away if site B hasn't
allowed cross-site access to the data.
This does not only force the whole resource to be transferred only to be
thrown away, it also forces the PEP to be the client as the server is
given absolutely no information about who site A is.
/ Jonas
