- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 7 Feb 2008 19:29:47 +0000
- To: Anne van Kesteren <annevk@opera.com>
- CC: "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > On Thu, 07 Feb 2008 18:15:55 +0100, Close, Tyler J. > <tyler.close@hp.com> > wrote: > > Sure, and there are even cases of sites that can safely process > > cross-domain non-GET requests. This WG is trying to create > a new way to > > do this, but the handling of accountability is... unclear. > > It's really up to the server to decide on that. Part of the reason the > server has to opt-in. But the proposed protocol makes it impossible for the server to determine accountability using the status quo mechanism of user authentication cookies. The proposed protocol introduces a subtle security vulnerability into the web developer's toolbox and runs off saying: "It's your problem buddy!" > > Is the user or the Referer-Root site accountable for a cross-domain > > non-GET request? Does the proposed protocol make it possible for the > > site hosting the resource to correctly determine the answer to that > > question? > > Does > http://lists.w3.org/Archives/Public/public-appformats/2008Feb/ > 0077.html > help? No, it doesn't. Jonas Sicking wrote: > Another way to look at it is; if you host web pages on your > web server, who do you hold accountable today? The person > creating the webpage, or the person whose cookies or auth > credentials you receive. Today, a web resource that uses cookies to authenticate the source of a POST request typically holds the user accountable for that POST. That policy doesn't work for a cross-domain POST under the WG's current proposal. --Tyler
Received on Thursday, 7 February 2008 19:30:58 UTC