- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 18 Dec 2007 23:09:22 +0100
- To: "Doyle, Bill" <wdoyle@mitre.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Tue, 18 Dec 2007 21:09:13 +0100, Doyle, Bill <wdoyle@mitre.org> wrote: > ## Sorry I was not clear. The Web Server needs to be able to control > its IA boundary. In your description and reply the client provides the > protection. The Web server could simply refuse to handle requests that have a Referer-Root HTTP header in them. >> I understand that the 3rd party can restrict access. The requirement >> is for the web server to have a mechanism (i.e. configuration setting or >> other type of control) that allows or disallows access control for >> cross-site requests and the web server has the ability to restrict >> 3rd party access to settings that are controlled by the web server. > > What exactly makes you think this is not possible? > > ## Please explain how this is possible. You could simply deny to handle requests with a Referer-Root HTTP header. >> Issue is that the web server owner looses Information Assurance (IA) >> control, this is an issue for my customers. IA control cannot be >> handed over to a 3rd party. For my customers, the web server owners >> need to >> manage the IA settings. > > Do you have a more concrete scenario that illustrates this? I'm not > sure I follow. > > ## Draft notes that the client becomes the Policy Decision Point, the > IA boundary of the server is extended to include the client. Yes, but the mechanism is opt-in, so only if the Web server allows this it would take part. Otherwise everything will work exactly like it does now. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 18 December 2007 22:08:27 UTC