* Jon Ferraiolo wrote: >I didn't understand your logic with the spammer metaphor where the browser >is the spammer sending unwanted initial requests to the server. A request >goes to the server no matter whether we are talking about AC/XHR, >JSONRequest or XDR. With AC/XHR, the browser sends a request (the spam) and >the response comes back with either Access-Control header or (for XML) an >Access-Control PI. With JSONRequest, the response is either an error or >comes back with a Content-Type:application/jsonrequest header. With XDR, >similar, except with a XDomainRequestAllowed:1. What am I missing? >But cookies are just one small part of a bigger picture. My opinion is that >it would be better to start off with an approach that is based on something >like JSONRequest or XDR where policy management (i.e., allow/deny logic) >happens on the server rather than the client, and where the starting point >for discussion is a proposal that has been designed with security in mind >from the beginning. ***THEN*** make adjustments to improve from this secure >foundation to offer more flexibility and possibly even better security >characteristics. For example, start with JSONRequest and transform it into >something that include XML support, or start with XDR and transform it into >something that offers an option to go beyond just GET and POST and allows >for secure transmission of user credentials. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/Received on Friday, 16 May 2008 01:39:28 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 16 May 2008 01:39:29 GMT