RE: Comments on: Access Control for Cross-site Requests from Close, Tyler J. on 2008-01-07 (public-appformats@w3.org from January 2008)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Mon, 7 Jan 2008 23:45:50 +0000
To: David Orchard <dorchard@bea.com>
CC: "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D14554E23@G6W0269.americas.hpqcorp.net>

Hi Dave,

Thanks for the encouragement.

I'ld like to get the constraints nailed down before offering another design. One possible interpretation of the conversation to date is that the mechanism must work if the author has only the ability to deposit a single file on the web server. That makes things pretty tough.

Given the resistance to changing the design of the XMLHttpRequest proposal, and Jonas Sicking's comment that Firefox 3 will support JSONRequest, I'm also strongly tempted to say "good enough" and move on.

--Tyler

> -----Original Message-----
> From: David Orchard [mailto:dorchard@bea.com]
> Sent: Monday, January 07, 2008 3:31 PM
> To: Close, Tyler J.
> Cc: public-appformats@w3.org
> Subject: RE: Comments on: Access Control for Cross-site Requests
>
>
> > -----Original Message-----
> > From: public-appformats-request@w3.org
> > [mailto:public-appformats-request@w3.org] On Behalf Of
> Close, Tyler J.
> > Sent: Wednesday, January 02, 2008 5:57 PM
> > To: Ian Hickson
> > Cc: Jonas Sicking; Anne van Kesteren; public-appformats@w3.org
> > Subject: RE: Comments on: Access Control for Cross-site Requests
> >
>
> <snip/>
> >
> > (I still doubt the utility of these constraints, but
> > whatever, I'll play)
> >
> > --Tyler
> >
> >
>
> I personally haven't heard clear compelling evidence why
> client-side PEP
> is worth the complexity.  By my read of the WG, I see a few folks for
> client-side PEP and a few folks interested in the server-side
> only PEP.
> I take the review of the Security Context WG very seriously.  The fact
> that apparently, you, Doug Crockford, Jon F, Mark N, and others are
> concerned about this, perhaps the largest, part of the design gives me
> cause for serious concern.  I think that if the Working Group members
> won't explore the server-side PEP design, then I think a number of WG
> members and non-members but interested parties would be grateful for
> design(s) that you choose to offer.  I'm not sure that there is
> consensus in the WG for the client-side PEP approach given yours and
> others similar comments and I think that you've added some useful new
> information.
>
> Cheers,
> Dave
>

Received on Monday, 7 January 2008 23:46:55 UTC