W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: comments on access control for cross-site requests - WSC member

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 18 Dec 2007 20:15:10 +0100
To: "Doyle, Bill" <wdoyle@mitre.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t3jo3kpk64w2qv@annevk-t60.oslo.opera.com>

On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <wdoyle@mitre.org> wrote:
> Not sure how the web server protects itself - "site should be protected
> from any other requests until it grants access"

Per the current policy in place the Web server FOO.COM is protected by the  
client not allowing a site on BAR.COM to retrieve information from  
FOO.COM. A site on BAR.COM can already issue a GET request to FOO.COM  
using <img>, <script>, etc. This same GET request is used to allow  
cross-site exchange of information through an opt-in policy as defined by  
the draft.


> I understand that the 3rd party can restrict access. The requirement is
> for the web server to have a mechanism (i.e. configuration setting or
> other type of control) that allows or disallows access control for
> cross-site requests and the web server has the ability to restrict 3rd
> party access to settings that are controlled by the web server.

What exactly makes you think this is not possible?


> Issue is that the web server owner looses Information Assurance (IA)
> control, this is an issue for my customers. IA control cannot be handed
> over to a 3rd party. For my customers, the web server owners need to
> manage the IA settings.

Do you have a more concrete scenario that illustrates this? I'm not sure I  
follow.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 18 December 2007 19:14:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT