- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 11 Jan 2008 11:03:07 +0000 (UTC)
- To: Brad Porter <bwporter@yahoo.com>
- Cc: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 10 Jan 2008, Brad Porter wrote: > > I wonder to some extent if this entire debate could be addressed by > including functionality in the access-control specification that would > allow the server to also perform the validation if it choose? A > solution where both the browser and the server are enforcing the policy > may ultimately be the strongest. This would enable webmasters to feel > like they have some control, but also prevent the browser vendors for > being blamed when webservers accidentally expose all their data by > improperly implementing the server-side gate. There already is a server-side gate. The server ultimately controls what headers and PIs are sent back on a per-response basis; you can treat the current specification as a purely server-side model that just happens to have a syntactically complicated handshake. I agree with all your other comments regarding the need for the option of providing a static declaration of policy. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 11 January 2008 11:03:18 UTC