[OpenAjaxSecurity] W3C Access Control vs JSONRequest

Jon Ferraiolo jferrai at us.ibm.com
Tue Jan 8 21:55:04 PST 2008

There has been recent discussion on W3C mailing lists about the potential
competitiveness between the W3C Access Control spec and the JSONRequest
proposal from Doug Crockford. In fact, there has been tons of pushback
recently on W3C Access Control from people at IBM (a couple of us), BEA,
HP, some W3C folks from other working groups, and probably some others that
I have forgotten.

Mozilla says that they are implementing both specs in Firefox3.

I have submitted my comments on Access Control vs JSONRequest as follows:

* Don't force the industry to deal with two overlapping technologies and
two new sets of security worries. Pick at most one of Access Control or

* My preference among the two would be JSONRequest for various reasons:
   - JSONRequest puts decisions about who gets access to the data on the
server rather than the client
   - JSONRequest has a couple of security features that look attractive to
me, such as timeouts and random timing support if there are errors
   - I would argue that JSONRequest has what's needed (GET & POST,
requirement that servers have to opt-in) and no more. To me, Access Control
is unnecessary complicated due to its approach to do policy management on
the client. In particular, I don't like the Allow/Deny features in W3C
Access Control. I don't see it being useful except in wildcard scenarios,
such as "*" (i.e., allow everyone) or to grant access to all subdomains
within a single site
   - JSONRequest doesn't send cookies, so less worry about CSRF

* I also expressed the opinion that it would be better if JSONRequest
supported both JSON and XML payloads. (Some people are attempting to write
up JSONRequest as an option because it only supports JSON. They also try to
write-off JSONRequest because it doesn't solve their proclaimed need to
achieve cross-domain access to XBL and XSLT files, which I think isn't the
driving requirement.)

What does everyone else think? If there is a consensus of opinion from
OpenAjax people, I can forward that to the W3C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080108/7f3882dd/attachment.html 

More information about the security mailing list