I have two things to point out, that I think might lead to agreement on this issue. 1. Note that nowhere does my draft text require that an unguessable URL alone be sufficient to grant access to a resource. It only says that private resources SHOULD use unguessable URLs. It doesn't say that you can't use additional security measures. One battle at a time I figure. See: http://lists.w3.org/Archives/Public/www-tag/2010Feb/0081.html 2. On Fri, Feb 12, 2010 at 8:50 AM, <noah_mendelsohn@us.ibm.com> wrote: > I do object to proposals to, at this stage, tighten > the rules for management of URIs on the Web, in email, etc. I don't think I've proposed any such tightening. I have only put into words part of the security model that browsers currently attempt to enforce. If you believe otherwise, please provide specific counter-examples. In particular, my draft text makes no mention of email servers or HTTP proxy servers, so it's hard to claim I aim to restrict their behavior. AFAICT, we should be able to agree on the substance of my draft text at this point, even if some word smithing is desired. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.htmlReceived on Friday, 12 February 2010 21:54:12 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT