- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 14 Apr 2008 17:21:50 +0200
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "Close, Tyler J." <tyler.close@hp.com>, Chris Wilson <Chris.Wilson@microsoft.com>, David Ross <dross@windows.microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, Jonas Sicking <jonas@sicking.cc>, Laurens Holst <lholst@students.cs.uu.nl>, Marc Silbey <marcsil@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Nikhil Kothari <nikhilko@microsoft.com>, "public-appformats@w3.org" <public-appformats@w3.org>, "Web API WG (public)" <public-webapi@w3.org>, public-webapi-request@w3.org, Sharath Udupa <Sharath.Udupa@microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>
On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote: > On the architecture side, Access Control is just plain wrong, > with the PEP on the client instead of the server, which requires > data to be sent along the pipe to the client, where the client is > trusted to discard the data if the user isn't allowed to see the > data; it is just plain architecturally wrong to transmit data > that is not meant to be seen. This seems to confuse the attacker model a bit. It's not about the user not being permitted to see the data, it's about a web application from a different origin not being allowed to manipulate the data, even though the user is allowed to see the data. See this message: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0290.html ... for a more detailed discussion of that topic, and some links. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Monday, 14 April 2008 15:22:31 UTC