W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: comments on access control for cross-site requests - WSC member

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 18 Dec 2007 15:12:47 -0800
Message-ID: <476853EF.30305@sicking.cc>
To: "Doyle, Bill" <wdoyle@mitre.org>, "WAF WG (public)" <public-appformats@w3.org>

> On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <wdoyle@mitre.org>
> wrote:
>> Not sure how the web server protects itself - "site should be
> protected
>> from any other requests until it grants access"
> 
> ## Sorry I was not clear. The Web Server needs to be able to control
> its IA boundary. In your description and reply the client provides the
> protection.

>> Issue is that the web server owner looses Information Assurance (IA)
>> control, this is an issue for my customers. IA control cannot be
> handed
>> over to a 3rd party. For my customers, the web server owners need to
>> manage the IA settings.
> 
> Do you have a more concrete scenario that illustrates this? I'm not
> sure I  
> follow.
> 
> ## Draft notes that the client becomes the Policy Decision Point, the
> IA boundary of the server is extended to include the client.

Since we are trying to prevent the client from sending a dangerous 
request, there has to be some interaction with the client. I.e. we have 
to send some data to the client to indicate that the dangerous request 
should not be performed.

Not sure how you could possibly avoid that?

However, note that "don't send anything different from what you've been 
sending before" is considered such an indication. So effectively you are 
safe by default.

/ Jonas
Received on Tuesday, 18 December 2007 23:12:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:24 GMT