Re: [access-control] comments on Working Draft 1 October 2007

Frederick Hirsch wrote:
> 
> I have some questions and suggestions regarding Working Draft 1 
> "Enabling Read Access for Web Resources" [1], as follows:
> 
> Questions
> 1. Should it be possible to use an HTTP HEAD method to obtain HTTP 
> access control headers without needing to obtain the entire 
> representation. This might be more efficient in some cases. This could 
> address a potential security risk associated with retrieving an entire 
> resource when its use may not be allowed.

The problem is that the resource might contain <?access-control?> PIs 
which deny access to the resource. The implementation won't be able to 
check these without retrieving the entire resource of course.

> 2. Has the WG considered having the server process XML document access 
> control PI directives and then providing that information as HTTP 
> headers, avoiding the need for client processing of the XML document? 
> Could this be a simplification for clients and allow use of HTTP HEAD 
> consistently?

This would require server support thus making adoption significantly 
harder. As things are now you can simply put a XML file on any existing 
server and it things will just work.

> 3. Why is use of an XML Processor required to process the Processing 
> Instructions in the prolog? Couldn't simple text processing also be used?

It would have to process the data according to the XML specification. 
Wouldn't that make it an XML processor?

/ Jonas

Received on Sunday, 4 November 2007 06:09:43 UTC