I believe that this is the current wording of requirement 9: <sicking> i'd be ok with "Must not require that the server filters the entity body of the resource in order to deny cross-site access to all resources on the server" (From the minutes.) It occurs to me that the current specification assumes that all cross-site requests have a Referer-Root header set. That suggests that a configuration step as common as denying any requests with a particular header would enough to fulfill this requirement, without actually relying upon the policy mechanism itself. In fact, for the kind of use case that this requirment seems to have in mind (somebody screwed up badly during policy authoring), that strategy would most likely be the one a sane administrator would take. Otherwise, there would be a risk that the insane policy comes with a bad Method-Check-Expires HTTP header. -- Thomas Roessler, W3C <tlr@w3.org>Received on Wednesday, 30 January 2008 22:07:23 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2008 22:07:25 GMT