[Project_owners] Web Services Security Model

Marcio Galli mgalli at mgalli.com
Tue Oct 21 14:33:09 EDT 2003

Good thing that Macromedia is using the same approach. I think I missed 
your point about your opinion, if it is about evaluation and 
optimizations to the model,  I completely agree that more input is 
needed. For now I am adding more data here:

That security model is not the only thing in place in Mozilla, here you 
have another related approach, which is considered an optimization to 
that model:


Here is the page about Mozilla Web Services:


xmethods.com is using that XML file, so mozilla pages can connect with 
xmethods.com for example this sample ( 
) . Do you have the link to the documentation about the Macromedia 
model? I think that information is very important for us.


I think a compilation of your main points, with suggestions and ways to 
use the model, other organizations and their models, as well cases of 
usage of the different models, is something valuable to Mozilla 
foundation staff and community.

Fabio Serra wrote:

> I belive that Web Services and the Mozilla WebServiceProxyFactory 
> object could be a real boost to develop Rich Web Client Applications 
> with the Mozilla Platform. With the term *Web* Client Application I 
> mean, application that can be loaded from a web page without the need 
> to install anything.
> Unfortunately there is one more time the same big problem: the 
> security policy.
> If I have well understood the security model 
> (http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html) 
> you can directly connect to a Web Service only when the web service 
> provider have put an XML file in his root directory. With this XML 
> file the web service provider can decide if the web service is 
> accessible by anyone, from certain domains only and so on. This rule 
> is respected and it is valid only for the Mozilla clients.
> The practical consequence of this security model is that from Mozilla 
> will be probably impossible to connect directly to Web Services.
> From the users side the security model don't give any real security 
> and advantage because I can use WebServiceProxyFactory  to connect to 
> a server of mine with the XML file and exchange all data I want. The 
> security model is also useless for the web service provider that I 
> think he doesn't  set up all his security policy basing only on an XML 
> file.
> From the application developer point of view (our point of view) the 
> security policy means that we can't use directly (without XPI) Amazon 
> Web Services, Google Web Services and so on. To use these Web Services 
> we have to ask to put this "magical" XML file in their root directory.
> Maybe there is something I missed, because Macromedia Flash MX have 
> adopted the same concept, but unfortunately they use a different XML 
> file that they call crossdomain.xml
> http://www.macromedia.com/devnet/mx/flash/articles/fplayer_security.html
> http://moock.org/asdg/technotes/crossDomainPolicyFiles/
> Some Flash developer have just contacted Amazon asking to put the 
> Flash crossdomain.xml in their web site
> http://forums.prospero.com/am-assocdevxml/messages?msg=3340.1
> We can do the same, but is this a pratical way?
> Ok, this is my very humble opinion. I would like to know what do you 
> think about this policy and who can be contacted to explain my point 
> of view, maybe in the future something could be changed.
> =================
> Fabio Serra
> http://mab.mozdev.org
> =================
> _______________________________________________
> Project_owners mailing list
> Project_owners at mozdev.org
> http://mozdev.org/mailman/listinfo/project_owners

More information about the Project_owners mailing list