- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Fri, 11 Jan 2008 10:42:39 +1100
- To: Brad Porter <bwporter@yahoo.com>
- Cc: public-appformats@w3.org
On 09/01/2008, at 9:38 AM, Brad Porter wrote: > In particular, moving to server-based access-control requires: > > a) browsers to provide verifiable REFERER, unique user, or other > equivalent identity information I don't follow this. It requires data to be provided by the browser (Referer-Root in the current proposal), but it doesn't require it to be verifiable, any more than you require the client's application of the policy to be verifiable. If anything, I'd imagine the server-side model to be more attractive to the corporate IT department, because it requires so much less of the browser (where so many security bugs have originated, and something entirely outside their ability to fix). -- Mark Nottingham mnot@yahoo-inc.com
Received on Thursday, 10 January 2008 23:42:57 UTC