W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: [access-control] comments on Working Draft 1 October 2007

From: Jonas Sicking <jonas@sicking.cc>
Date: Sat, 03 Nov 2007 23:09:38 -0700
Message-ID: <472D6222.8050508@sicking.cc>
To: Frederick Hirsch <frederick.hirsch@nokia.com>, "WAF WG (public)" <public-appformats@w3.org>

Frederick Hirsch wrote:
> 
> I have some questions and suggestions regarding Working Draft 1 
> "Enabling Read Access for Web Resources" [1], as follows:
> 
> Questions
> 1. Should it be possible to use an HTTP HEAD method to obtain HTTP 
> access control headers without needing to obtain the entire 
> representation. This might be more efficient in some cases. This could 
> address a potential security risk associated with retrieving an entire 
> resource when its use may not be allowed.

The problem is that the resource might contain <?access-control?> PIs 
which deny access to the resource. The implementation won't be able to 
check these without retrieving the entire resource of course.

> 2. Has the WG considered having the server process XML document access 
> control PI directives and then providing that information as HTTP 
> headers, avoiding the need for client processing of the XML document? 
> Could this be a simplification for clients and allow use of HTTP HEAD 
> consistently?

This would require server support thus making adoption significantly 
harder. As things are now you can simply put a XML file on any existing 
server and it things will just work.

> 3. Why is use of an XML Processor required to process the Processing 
> Instructions in the prolog? Couldn't simple text processing also be used?

It would have to process the data according to the XML specification. 
Wouldn't that make it an XML processor?

/ Jonas
Received on Sunday, 4 November 2007 06:09:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC