W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: comments on access control for cross-site requests - WSC member

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 18 Dec 2007 23:09:22 +0100
To: "Doyle, Bill" <wdoyle@mitre.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t3jw5wlt64w2qv@annevk-t60.oslo.opera.com>

On Tue, 18 Dec 2007 21:09:13 +0100, Doyle, Bill <wdoyle@mitre.org> wrote:
> ## Sorry I was not clear. The Web Server needs to be able to control
> its IA boundary. In your description and reply the client provides the
> protection.

The Web server could simply refuse to handle requests that have a  
Referer-Root HTTP header in them.


>> I understand that the 3rd party can restrict access. The requirement
>> is for the web server to have a mechanism (i.e. configuration setting or
>> other type of control) that allows or disallows access control for
>> cross-site requests and the web server has the ability to restrict
>> 3rd party access to settings that are controlled by the web server.
>
> What exactly makes you think this is not possible?
>
> ## Please explain how this is possible.

You could simply deny to handle requests with a Referer-Root HTTP header.


>> Issue is that the web server owner looses Information Assurance (IA)
>> control, this is an issue for my customers. IA control cannot be
>> handed over to a 3rd party. For my customers, the web server owners  
>> need to
>> manage the IA settings.
>
> Do you have a more concrete scenario that illustrates this? I'm not
> sure I follow.
>
> ## Draft notes that the client becomes the Policy Decision Point, the
> IA boundary of the server is extended to include the client.

Yes, but the mechanism is opt-in, so only if the Web server allows this it  
would take part. Otherwise everything will work exactly like it does now.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 18 December 2007 22:08:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT