Re: Content Security Policy feedback

2008-12-01 Thread Bil Corry 
On Nov 22, 2:03 pm, Lucas Adamski [EMAIL PROTECTED] wrote:
 Yes, my understanding is that Access Control is actually intended as a
 generic cross-site server policy mechanism, and XHR is just its first
 implementation.

Anne confirmed that it's not intended to be XHR-only, however it's not
intended for all types of requests either.  He specifically said it
would not work for iframe due to cross-site scripting issues.


- Bil
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Re: Content Security Policy feedback

2008-12-01 Thread Lucas Adamski 
I think this is true, but it kind of depends on how you look at it.  I
think sometimes different types of cross-domain operations can get
conflated together:

* cross-domain scripting - when code in one domain has the ability to
access another domain's code or DOM
* cross-domain data importing - transferring data from the context of
one domain into another domain (XHR with AC, stylesheets)
* cross-domain content loading - hands-off content loading operations
such as IFRAME and IMG tags that leave content in their respective
security domains--aka embedding

In this (conveniently simplified) model, since iframe is a content
loading operation, it doesn't need Access Control.   Nor am I sure what
it would really even mean to apply Access Control to it (would it be
permitting data importing or scripting?)

Probably the biggest fly in my otherwise nicely-simple ointment is
SCRIPT SRC=.  Is it cross-domain scripting or data importing?  It may
seem like scripting at first blush, but you may not have even
instantiated any code from the source domain, and in the end its not
much different than loading data via XHR+AC and then calling eval() on
it.  So I would argue that even SCRIPT SRC= is a data import
operation, just one that is (alas) permitted by default and
automatically evals everything it loads.

So perhaps we are just agreeing insofar that Access Control should never
govern cross-domain scripting.  Whether it could/should be extended to
govern (opt-out of) cross-domain loading/embedding is an interesting
one.  Thanks,
  Lucas.

Bil Corry wrote:
 On Nov 22, 2:03 pm, Lucas Adamski [EMAIL PROTECTED] wrote:
 Yes, my understanding is that Access Control is actually intended as a
 generic cross-site server policy mechanism, and XHR is just its first
 implementation.
 
 Anne confirmed that it's not intended to be XHR-only, however it's not
 intended for all types of requests either.  He specifically said it
 would not work for iframe due to cross-site scripting issues.
 
 
 - Bil
 ___
 dev-security mailing list
 dev-security@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-security
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security