- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 20 Dec 2007 01:32:02 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: "public-appformats@w3.org" <public-appformats@w3.org>
On Thu, 20 Dec 2007, Close, Tyler J. wrote: > > A significant portion of the proposal is devoted to specifying a policy > language for determining whether or not a page from a particular "root > URI" should be allowed to issue a cross-domain request to a particular > server. I think the problem can be solved without the server and the > client software agreeing on such a policy language. For example, rather > than have the server specify the rules for cross-domain requests and > have the client enforce these rules, the client should simply send the > request information to the server and have the server enforce its own > rules. I see no advantage to placing this logic in the client, as > opposed to the server. Placing the logic in the client introduces > significant complexity which creates many opportunities for > implementation bugs, specification ambiguity and misunderstanding by web > application developers, while possibly limiting the kinds of policies a > server can enforce. Interesting idea... can you propose a way of doing this that defaults to all-access-disabled, no-requests-other-than-GET-get-sent-without-approval for implementations and servers that don't implement the proposal? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 20 December 2007 01:32:16 UTC