W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: comments on access control for cross-site requests - WSC member

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 18 Dec 2007 14:20:29 -0800
Message-ID: <476847AD.2070403@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: "Doyle, Bill" <wdoyle@mitre.org>, "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
> 
> On Tue, 18 Dec 2007 21:09:13 +0100, Doyle, Bill <wdoyle@mitre.org> wrote:
>> ## Sorry I was not clear. The Web Server needs to be able to control
>> its IA boundary. In your description and reply the client provides the
>> protection.
> 
> The Web server could simply refuse to handle requests that have a 
> Referer-Root HTTP header in them.
> 
> 
>>> I understand that the 3rd party can restrict access. The requirement
>>> is for the web server to have a mechanism (i.e. configuration setting or
>>> other type of control) that allows or disallows access control for
>>> cross-site requests and the web server has the ability to restrict
>>> 3rd party access to settings that are controlled by the web server.
>>
>> What exactly makes you think this is not possible?
>>
>> ## Please explain how this is possible.
> 
> You could simply deny to handle requests with a Referer-Root HTTP header.

Actually, I'm not sure we should recommend this. I wouldn't be surprised 
if the Referer-Root header will end up being used for other specs too in 
the future. Especially given it's very generic name.

If we really want servers to do this, maybe we should name the header 
AC-Referer-root instead?

The server could also simply not put any access-control headers or PIs 
in any responses, that would have the same effect.

/ Jonas
Received on Tuesday, 18 December 2007 22:20:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT