[Project_owners] Web Services Security Model

Fabio Serra mab at faser.net
Tue Oct 21 23:07:11 EDT 2003


I belive that Web Services and the Mozilla WebServiceProxyFactory object 
could be a real boost to develop Rich Web Client Applications with the 
Mozilla Platform. With the term *Web* Client Application I mean, 
application that can be loaded from a web page without the need to install 
anything.
Unfortunately there is one more time the same big problem: the security policy.
If I have well understood the security model 
(http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html) 
you can directly connect to a Web Service only when the web service 
provider have put an XML file in his root directory. With this XML file the 
web service provider can decide if the web service is accessible by anyone, 
from certain domains only and so on. This rule is respected and it is valid 
only for the Mozilla clients.
The practical consequence of this security model is that from Mozilla will 
be probably impossible to connect directly to Web Services.
 From the users side the security model don't give any real security and 
advantage because I can use WebServiceProxyFactory  to connect to a server 
of mine with the XML file and exchange all data I want. The security model 
is also useless for the web service provider that I think he doesn't  set 
up all his security policy basing only on an XML file.
 From the application developer point of view (our point of view) the 
security policy means that we can't use directly (without XPI) Amazon Web 
Services, Google Web Services and so on. To use these Web Services we have 
to ask to put this "magical" XML file in their root directory.
Maybe there is something I missed, because Macromedia Flash MX have adopted 
the same concept, but unfortunately they use a different XML file that they 
call crossdomain.xml
http://www.macromedia.com/devnet/mx/flash/articles/fplayer_security.html
http://moock.org/asdg/technotes/crossDomainPolicyFiles/
Some Flash developer have just contacted Amazon asking to put the Flash 
crossdomain.xml in their web site
http://forums.prospero.com/am-assocdevxml/messages?msg=3340.1
We can do the same, but is this a pratical way?
Ok, this is my very humble opinion. I would like to know what do you think 
about this policy and who can be contacted to explain my point of view, 
maybe in the future something could be changed.
=================
Fabio Serra
http://mab.mozdev.org
=================



More information about the Project_owners mailing list