XML News from Sunday, October 7, 2007

The W3C Voice Browser, Web APIs, and Web Application Formats (WAF) Working Groups have posted a new draft of Enabling Read Access for Web Resources (formerly Authorizing Read Access to XML Content Using the <?access-control?> Processing Instruction 1.0). According to the draft,

The Web has a rich set of resources that can be combined to build content, applications and feature-rich Web sites. A contributor to this richness is Web sites including references (e.g. a link or an image inclusion) to resources residing in other domains.

To prevent information leakage, user agents, such as Web browsers, implement a same origin policy that allows a document (e.g. some JavaScript) to read, process, or otherwise interrogate the contents of another resource if, and only if, the other resource resides in the same domain. This policy prevents domain A, acting on behalf of the user, to get information from domain B. For instance, this prevents a malicious site from reading information from the user's intranet using a technology such as XMLHttpRequest.

This restriction is very strict and generally appropriate. However, there are scenarios where an application would like to get data from another resource on the Web without these restrictions. For this to work the browser's same origin policy has to be extended or eased. For example, a car reservation Web site may want to request trip itinerary data from an affiliated airline reservation website to streamline making a car reservation. The easing of read access restrictions is particularly important to Web browsers that implement the XMLHttpRequest object and VoiceXML 2.1 browsers using the data element.

To facilitate clear and controlled read access to resources, this specification defines a read access control mechanism that enables a Web resource to permit access to its content from external domains when such access would otherwise be prohibited by a same origin policy. The defined mechanism only works in conjunction with other specifications that are using the read access control mechanism to enable read access.