- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 18 Dec 2007 14:20:29 -0800
- To: Anne van Kesteren <annevk@opera.com>
- CC: "Doyle, Bill" <wdoyle@mitre.org>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > > On Tue, 18 Dec 2007 21:09:13 +0100, Doyle, Bill <wdoyle@mitre.org> wrote: >> ## Sorry I was not clear. The Web Server needs to be able to control >> its IA boundary. In your description and reply the client provides the >> protection. > > The Web server could simply refuse to handle requests that have a > Referer-Root HTTP header in them. > > >>> I understand that the 3rd party can restrict access. The requirement >>> is for the web server to have a mechanism (i.e. configuration setting or >>> other type of control) that allows or disallows access control for >>> cross-site requests and the web server has the ability to restrict >>> 3rd party access to settings that are controlled by the web server. >> >> What exactly makes you think this is not possible? >> >> ## Please explain how this is possible. > > You could simply deny to handle requests with a Referer-Root HTTP header. Actually, I'm not sure we should recommend this. I wouldn't be surprised if the Referer-Root header will end up being used for other specs too in the future. Especially given it's very generic name. If we really want servers to do this, maybe we should name the header AC-Referer-root instead? The server could also simply not put any access-control headers or PIs in any responses, that would have the same effect. / Jonas
Received on Tuesday, 18 December 2007 22:20:03 UTC