XML News from Monday, December 10, 2007

The W3C Voice Browser, Web APIs, and Web Application Formats (WAF) Working Groups have posted a new draft of Enabling Read Access for Web Resources (formerly Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0). According to the draft,

Cross-site requests are possible using the HTML img and script elements for instance. However, it is not possible to exchange the contents of resources or manipulate resources "cross-domain". This is to prevent information leakage and to ensure that malicious site can not delete your calendar data with cross-site requests using the HTTP DELETE method.

The policy this document introduces allows a resource to opt-in to allowing cross-site data retrieval of it and also enables a mechanism based on the same policy to allow a resource to opt-in to requests using an HTTP method other than GET. This policy builds on top of the existing restrictions already in place. This policy described in this document can only be used by a technology, such as XMLHttpRequest or XBL, when the respective specification of that technology describes how it applies.

The access control policy is defined in the resource that might be obtained and is expected to be enforced by the client that retrieves and processes the resource. Thus the client is trusted and acts as a policy enforcement point.