W3C home > Mailing lists > Public > public-appformats@w3.org > September 2007

Re: Request for Comments on Enabling Read Access for Web Resources

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 20 Sep 2007 11:21:25 -0700
Message-ID: <46F2BA25.3050909@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
>> We would then like the document to indicate whether there are
>> situations where implementation of the Read Access Control Policy
>> mechanism would make a UA and the network to which it is attached any 
>> more vulnerable to
>> attack.
>> We think that the increased risk is probably small, but we believe
>> that the document should present more analysis than it does at present.
> I tried making this more clear in the security section: 
> http://dev.w3.org/2006/waf/access-control/Overview.html#security

We might want to mention that implementations should not allow other 
methods than GET, and not allow the user to specify username/password or 
http-headers in conjunction with this, without taking extra precaution 
to make sure that that is safe. I.e. XHR2 will allow other methods than 
GET, but only if the server opts-in to it.

/ Jonas
Received on Thursday, 20 September 2007 18:25:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:07 UTC