30
edits
Specifications/Cross Domain Access Policies: Difference between revisions
Jump to navigation
Jump to search
m
Specifications/Cross Domain Access Policies (view source)
Revision as of 19:33, 19 May 2005
, 19 May 2005Clean up and improve clarity (says me ;) )
mNo edit summary |
m (Clean up and improve clarity (says me ;) )) |
||
| Line 2: | Line 2: | ||
== Introduction == | == Introduction == | ||
One of the oldest security | One of the oldest security models in browsers today is the cross-domain policy. Browsers restrict pages from accessing data from pages on other domains. However, modern browsers can now consume services such as XML datasources or SOAP, and these types of public web services are being hampered by the strict cross-domain security model. This document attempts to specify a new model, by which domains can specify which other domains can access them. | ||
== Problem == | == Problem == | ||
Public web services can be consumed from any domain using server-side scripting. The reason browsers cannot allow the same is because they create a new problem which server-side scripts do not have, namely allowing the circumvention of firewalls | Public web services can be consumed from any domain using server-side scripting. The reason browsers cannot allow the same behavior is because they create a new problem which server-side scripts do not have, namely, allowing the circumvention of firewalls such as those used by corporate intranets. | ||
A browser being used behind a firewall can connect to both the | A browser being used behind a firewall can connect to both the Internet and the intranet. If browsers allowed websites to access any domain, then a malicious Internet site visited by a firewall user could access web services inside the firewall (where such services usually assume they can be accessed only from behind the firewall). For example, a company may have an internally public web service that queries into its employee database. | ||
Two | Two independent groups ended up implementing a solution in a very similar way: allow the web service domain to specify who may access it, and then the client (such as a browser) makes sure the cross-domain call is permitted. Macromedia implemented this for Flash 7, and Netscape implemented this for consuming XML Web Services (SOAP/WSDL) from JavaScript in Mozilla-based products. | ||
The goal of this document is to standardize | The goal of this document is to standardize these two approaches into a more generic model so that it can cover more use cases. | ||
== Controlling Cross Domain Access on the Server == | == Controlling Cross-Domain Access on the Server == | ||
Both solutions used an XML file in the root | Both solutions used an XML file in the root directory of the web service provider. For example, if one were trying to load <tt><nowiki>http://www.foo.com/service/foo.xml</nowiki></tt>, the policy-setting XML file would reside at <tt><nowiki>http://www.foo.com/</nowiki></tt>. Note that this policy file would not affect services provided on subdomains, such as <tt><nowiki>http://service.foo.com/</nowiki></tt>. If no file were found, then access would be denied, ensuring that no existing service could be called without specifically allowing it. | ||
=== The Policy File === | === The Policy File === | ||
| Line 25: | Line 25: | ||
</cross-domain-policy> | </cross-domain-policy> | ||
The root node is called '''cross-domain-policy''', and it contains as many '''allow''' elements as needed. The client walks the '''allow''' elements until it finds one that matches the request type and the caller's domain. If no match is found, the cross domain request is denied by the client. The DTD for the file: | The root node is called '''cross-domain-policy''', and it contains as many '''allow''' elements as needed. The client walks the '''allow''' elements until it finds one that matches both the request type and the caller's domain. If no match is found, the cross-domain request is denied by the client. The DTD for the file: | ||
<!ELEMENT cross-domain-policy (allow*)> | <!ELEMENT cross-domain-policy (allow*)> | ||
| Line 32: | Line 32: | ||
=== Whitelisting === | === Whitelisting === | ||
The policy file works like a whitelist. | The policy file works like a whitelist. It lists which outside domains have access to web-services and what types of services they may consume. The '''allow''' element is used for this, and the domain is specified in it's '''from''' attribute. Full domains may be used, such as <tt><nowiki>www.foo.com</nowiki></tt>, or wildcarded ones such as <tt><nowiki>*.foo.com</nowiki></tt>, or even just <tt><nowiki>*</nowiki></tt> to allow any domain. If no '''from''' attribute is set, then any domain is allowed. | ||
=== Types of Services === | === Types of Services === | ||
The type of service allowed is set via the case-sensitive type attribute on the allow element. The default type is "any", which allows any service to be accessed from that domain. | The type of service allowed is set via the case-sensitive '''type''' attribute on the '''allow''' element. The default type is "any", which allows any service to be accessed from that domain. | ||
<table cellspacing="0"> | <table cellspacing="0"> | ||
| Line 67: | Line 67: | ||
=== Delegation === | === Delegation === | ||
The optional '''delegate''' attribute (default is false) on the '''allow''' element allows the policy file to | The optional '''delegate''' attribute (default is false) on the '''allow''' element allows the policy file to redirect the client to another policy file. In other words, if an outside (but allowed) domain is trying to access a web service on a subdomain on the current domain, then the client should look for a policy file in that subdomain. If no policy file is found in the subdomain, then access is rejected and access policy processing ceases. | ||
Given this policy file at http://www.company.com/cross-domain-policy.xml: | Given this policy file at <tt><nowiki>http://www.company.com/cross-domain-policy.xml</nowiki></tt>: | ||
<?xml version="1.0"?> | <?xml version="1.0"?> | ||
| Line 77: | Line 77: | ||
</cross-domain-policy> | </cross-domain-policy> | ||
If http://bar.foo.com tries to load the XML file http://www.company.com/service/foo.xml, the client will look for http://www.company.com/service/cross-domain-policy.xml. If found, that policy file is proccessed and the current policy file is discarded. If the file is missing, the current policy file is discarded | If <tt><nowiki>http://bar.foo.com</nowiki></tt> tries to load the XML file <tt><nowiki>http://www.company.com/service/foo.xml</nowiki></tt>, the client will look for <tt><nowiki>http://www.company.com/service/cross-domain-policy.xml</nowiki></tt>. If found, that policy file is proccessed and the current policy file is discarded. If the file is missing, the current policy file is discarded anyway and access is rejected. | ||
== Concerns == | == Concerns == | ||
<ul> | <ul> | ||
<li>In a multi-user system, the root node needs the policy file and it also needs to delegate so that the users can regulate access. Should we perhaps put the file in the same subdirectory | <li>In a multi-user system, the root node needs the policy file and it also needs to delegate so that the users can regulate access. Should we perhaps put the file in the same subdirectory where the service is located? If we did, would this be a security risk? I would think not, since if the user got compromised, only his web service would be accessed, and the compromiser would already have access to all its data.</li> | ||
</ul> | </ul> | ||