[Project_owners] Web Services Security Model
mab at faser.net
Tue Oct 21 23:07:11 EDT 2003
I belive that Web Services and the Mozilla WebServiceProxyFactory object
could be a real boost to develop Rich Web Client Applications with the
Mozilla Platform. With the term *Web* Client Application I mean,
application that can be loaded from a web page without the need to install
Unfortunately there is one more time the same big problem: the security policy.
If I have well understood the security model
you can directly connect to a Web Service only when the web service
provider have put an XML file in his root directory. With this XML file the
web service provider can decide if the web service is accessible by anyone,
from certain domains only and so on. This rule is respected and it is valid
only for the Mozilla clients.
The practical consequence of this security model is that from Mozilla will
be probably impossible to connect directly to Web Services.
From the users side the security model don't give any real security and
advantage because I can use WebServiceProxyFactory to connect to a server
of mine with the XML file and exchange all data I want. The security model
is also useless for the web service provider that I think he doesn't set
up all his security policy basing only on an XML file.
From the application developer point of view (our point of view) the
security policy means that we can't use directly (without XPI) Amazon Web
Services, Google Web Services and so on. To use these Web Services we have
to ask to put this "magical" XML file in their root directory.
Maybe there is something I missed, because Macromedia Flash MX have adopted
the same concept, but unfortunately they use a different XML file that they
Some Flash developer have just contacted Amazon asking to put the Flash
crossdomain.xml in their web site
We can do the same, but is this a pratical way?
Ok, this is my very humble opinion. I would like to know what do you think
about this policy and who can be contacted to explain my point of view,
maybe in the future something could be changed.
More information about the Project_owners