- From: Thomas Roessler <tlr@w3.org>
- Date: Sat, 7 Jul 2007 11:32:01 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On 2007-07-06 17:18:11 -0700, Jonas Sicking wrote: > The other use case if your putting a resource on a server that > grants access, but you don't want your particular resource to be > accessible cross domain. That use case is actually a recipe for desaster -- mainly because there is no way for the server operator to know whether a client is going to honor a policy or not. After all, the client could be old and predate (and therefore ignore) the access-control language. That kind of scenario is, in fact, another reason why the access-control language should not be able to express restrictions that go beyond the existing sandbox model. People will try to use the language with "deny" for the use case that you describe, and (as you said) "bad things will happen." Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Saturday, 7 July 2007 09:32:15 UTC