W3C home > Mailing lists > Public > public-appformats@w3.org > May 2008

Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 14 May 2008 17:20:17 -0700
Message-ID: <482B81C1.2030600@sicking.cc>
To: Jon Ferraiolo <jferrai@us.ibm.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>

Jon Ferraiolo wrote:
> Sorry for beating a dead horse, but IMO the policy manager (i.e., the 
> software that decides whether to allow a request to go through, aka the 
> PEP) shouldn't be on the client anyway. The client should just make 
> cross-domain requests and the server should enforce which requests are 
> allowed to go through. Instead of the server delegating to the client 
> the responsibility for only allowing certain requests (e.g., only to 
> /api/*), the server should itself take responsibility for permitting or 
> denying requests.

I don't understand at all what you are proposing. If we allow the client 
to always POST cross domain the damage is already done and we have lost 
already. We can't make existing already deployed servers to start 
dealing with this new spec.

Please elaborate in more detail.

> (JSONRequest in contrast has no client-side mechanisms 
> for deciding which requests should be allowed or denied and assumes that 
> any such logic would be on the server.)

JSONRequest always allows cross-site POSTs, I.e. it always allows the 
thing we are trying to prevent.

/ Jonas
Received on Thursday, 15 May 2008 00:21:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 15 May 2008 00:21:43 GMT