W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

Re: Comments on: Access Control for Cross-site Requests

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 20 Dec 2007 01:32:02 +0000 (UTC)
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0712200130460.22033@hixie.dreamhostps.com>

On Thu, 20 Dec 2007, Close, Tyler J. wrote:
> A significant portion of the proposal is devoted to specifying a policy 
> language for determining whether or not a page from a particular "root 
> URI" should be allowed to issue a cross-domain request to a particular 
> server. I think the problem can be solved without the server and the 
> client software agreeing on such a policy language. For example, rather 
> than have the server specify the rules for cross-domain requests and 
> have the client enforce these rules, the client should simply send the 
> request information to the server and have the server enforce its own 
> rules. I see no advantage to placing this logic in the client, as 
> opposed to the server. Placing the logic in the client introduces 
> significant complexity which creates many opportunities for 
> implementation bugs, specification ambiguity and misunderstanding by web 
> application developers, while possibly limiting the kinds of policies a 
> server can enforce.

Interesting idea... can you propose a way of doing this that defaults to 
all-access-disabled, no-requests-other-than-GET-get-sent-without-approval 
for implementations and servers that don't implement the proposal?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 20 December 2007 01:32:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:20 UTC