W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: Design issues for access-control

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 5 Nov 2007 09:47:34 -0500
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <20071105144734.GD9549@raktajino.does-not-exist.org>

On 2007-11-05 00:25:39 -0800, Jonas Sicking wrote:

> What I'm not thrilled about in the current spec, and I think
> Thomas touched on this in this thread, is that we're mixing
> server-side and client-side authentication when performing
> non-GET authorization.

> On one had we're sending both the requesting domain (in
> Referer-Root) and the requested method (in Method-Check?) to the
> server. This is enough data for the server to simply send back a
> yes/no reply.

> But then we're letting the server send back both a set of allowed
> domains (in Access-Control/<?access-control?>) and a set of
> allowed methods (in Allow). This data too would be enough on its
> own to make a yes/no decision about if to authorize the non-GET
> request.

> Why do we solve the problem twice?

+100 to that point.  

We should be clear the processing model is (and
pick one!), and we should also be clear what use case the language
addresses.  Is this a language for users to inform their web
servers, or is this a language for servers to inform user agents?

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Monday, 5 November 2007 14:47:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC