Re: Design issues for access-control from Thomas Roessler on 2007-11-05 (public-appformats@w3.org from November 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 5 Nov 2007 09:42:31 -0500
To: Anne van Kesteren <annevk@opera.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <20071105144231.GC9549@raktajino.does-not-exist.org>

On 2007-10-31 17:11:42 +0100, Anne van Kesteren wrote:

> The scenario was doing cross-site XML POST as that might hurt
> SOAP servers.  I seem to recall someone saying this is possible
> with <form> POST as well though I'm not sure exactly how, but
> only with XMLHttpRequest the Content-Type header would be an XML
> MIME type.

Well, Xforms is built around the notion of submitting data in XML to
arbitrary destination URIs, and that spec enables automatic
submission (through POST) even without use of Javascript.

>>> Servers will have to deal with cross-site <form> POST, but
>>> probably don't deal with cross-site XMLHttpRequest POST. As such,
>>> XMLHttpRequest POST is not guaranteed to be as "safe" as
>>> cross-site <form> POST is.

>> Please explain the differences from the perspective of the site that
>> needs to handle these requests, and explain how they are relevant
>> for the discussion at hand.

> <form> POST is not relevant to the discussion at hand. XMLHttpRequest POST 
> follows the model with Method-Check, etc.

You're not answering my question.

>>> Non-GET requests are indeed more difficult, but since non-GET is
>>> already more complicated than just sending a reply (you have to
>>> do some more "advanced" processing on the server as a result of
>>> the request) I don't see this as a problem.

>> The main use case here is POST, which is deployed in existing
>> servers.  The additional header needs to be dealt with when it
>> occurs on a GET request.

>> Requiring special server-side processing for an existing method
>> means a significant change in terms of deployment scenario.

> Well, you'd have a single resource on the server I assume that
> takes care of both the GET and POST responses. My point was that
> if the author of the server is going to handle POST he/she
> already needs to do a certain amount of coding rather than just
> putting a data source online. Handling the additional request
> isn't that more complicated than.

There is a difference between deploying a web application and
deploying a different HTTP stack.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 5 November 2007 14:42:43 UTC