Anne van Kesteren wrote: >> We would then like the document to indicate whether there are >> situations where implementation of the Read Access Control Policy >> mechanism would make a UA and the network to which it is attached any >> more vulnerable to >> attack. >> >> We think that the increased risk is probably small, but we believe >> that the document should present more analysis than it does at present. > > I tried making this more clear in the security section: > http://dev.w3.org/2006/waf/access-control/Overview.html#security We might want to mention that implementations should not allow other methods than GET, and not allow the user to specify username/password or http-headers in conjunction with this, without taking extra precaution to make sure that that is safe. I.e. XHR2 will allow other methods than GET, but only if the server opts-in to it. / JonasReceived on Thursday, 20 September 2007 18:25:41 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:22 GMT