Mozilla Web Services Security Model


(This document is being compiled from scattered documentation and source code and most of the information in it has not been verified. Please do not depend on anything in it being correct for security.)

To prevent the browser from being used as a tool for Web sites to obtain priveleges that belong to the browser's user (such as being behind a firewall or getting the benefits of the user's cookies), Web browsers restrict what Web pages can do when accessing things in other domains. These restrictions apply to Web Services.

However, Web Services can be designed to be accessed from other domains, or even from any domain. Mozilla allows sites hosting such Web Services to tell Mozilla that other sites can access the service. They do this by creating a file called web-scripts-access.xml in the root of the server that grants permission for other domains to access Web Services. For example, to determine what Web sites can access a Web Service at, Mozilla would load the file, which may choose to delegate the decision to

web-scripts-access.xml File Format

The web-scripts-access.xml file is an XML document. Any errors in XML syntax, as well as many failures to follow the format, will cause the document to be ignored.

The webScriptAccess element

Its root element must be a webScriptAccess element in the namespace. This element must have either one delegate element child or any number (0 or more) of allow element children. All of these children elements must be in the same namespace as the parent, and must be empty.

The delegate element

A delegate element means that the browser should delegate the access control to a web-scripts-access.xml file in the directory that the service is in. For example, when accessing a Web Service at, if the access file at contains a delegate element, Mozilla will instead use to determine whether access is permitted. If no such file exists, then access will be denied.

The allow element

If no delegate elements are present or if the Web Service is in the same directory as the web-script-access.xml file, then the allow elements will be processed. If the file exists but contains no allow elements, then all access will be allowed. If allow elements exist, then the access will be allowed if one of them allows it.

The type attribute

The type attribute of the allow element can take the following values:

means that the allow element applies to all services that use web-scripts-access.xml for security checks. There may be more such such services in the future than there are now. This is the same as not having a type attribute.
[Not implemented!] Ability to load documents via XMLHttpRequest or similar mechanisms.
SOAP requests without verification headers
SOAP requests with verification headers
The from attribute

The from attribute on the allow element says which calling sites the allow element applies to. If there is no from attribute then the allow element applies to all sites. The from attribute otherwise gives a URL to match, which may contain up to two asterisks (*) that match any characters in the URL. The match is done against a URL from which the directory and file have been removed, so trying to match a specific page will cause the entire match to fail. (Is this correct?)

web-scripts-access.xml Examples

These examples are untested! Somebody should test them to make sure they do what is claimed.

Allow all services on a site to be accessed from any Web page

Note that this is only a sensible thing to do if nothing on the site serves content based on cookies, HTTP authentication, IP address / domain origin, or any other method of authentication.

<webScriptAccess xmlns=""/>

Allow access to SOAP services within a services directory

To allow access to services only within a certain directory (i.e., the directory where the safe, public, non-authenticated services are), you need one web-scripts-access.xml in the root directory of the server and one in the directory containing the services. In the root directory of the server:

<webScriptAccess xmlns="">
<allow type="none"/>

And in the services directory:

<webScriptAccess xmlns="">
<allow type="soapv"/>
<allow type="soap"/>

Good examples



Additional Reading