- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 18 Dec 2007 20:15:10 +0100
- To: "Doyle, Bill" <wdoyle@mitre.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <wdoyle@mitre.org> wrote: > Not sure how the web server protects itself - "site should be protected > from any other requests until it grants access" Per the current policy in place the Web server FOO.COM is protected by the client not allowing a site on BAR.COM to retrieve information from FOO.COM. A site on BAR.COM can already issue a GET request to FOO.COM using <img>, <script>, etc. This same GET request is used to allow cross-site exchange of information through an opt-in policy as defined by the draft. > I understand that the 3rd party can restrict access. The requirement is > for the web server to have a mechanism (i.e. configuration setting or > other type of control) that allows or disallows access control for > cross-site requests and the web server has the ability to restrict 3rd > party access to settings that are controlled by the web server. What exactly makes you think this is not possible? > Issue is that the web server owner looses Information Assurance (IA) > control, this is an issue for my customers. IA control cannot be handed > over to a 3rd party. For my customers, the web server owners need to > manage the IA settings. Do you have a more concrete scenario that illustrates this? I'm not sure I follow. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 18 December 2007 19:14:04 UTC