XML News from Saturday, May 27, 2006

The W3C Voice Browser, Web APIs and Web Application Formats (WAF) Working Groups have worked together to release a specification so colossally brain damaged it could not possibly have been designed by a single group. I am referring to, Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0. In brief, "This note describes a mechanism being used in the industry that allows a content provider to use a processing instruction embedded within the XML prolog to specify the access policy of that content. In this model a user agent can safely extend the sandbox in which it has restricted the application to include access to the XML content if and only if the specified policy grants permission." For example, you would put the processing instruction <?access-control allow="www.sun.com" deny="www.microsoft.com"?> in a document prolog, and Sun can read it but Microsoft can't. In other words, the client is supposed to trust the document it receives because that document says to trust it? Or in reverse, the server is supposed to believe thaqt the client will obey any restrictions placed in the document? I keep thinking they can't possibly mean what they say, but they really seem to. At best this is a very poorly written specification that doesn'tt explain what it's actually trying to do. At worst, it's the single most broken security design I've seen in years, and that's saying a lot.