Re: [access-control] non-GET threat model and authorization choreography

On Oct 6, 2007, at 03:56, Jonas Sicking wrote:

> Like Ian points out, there might very well be servers living inside  
> firewalls that support that method and don't do any other security  
> authentication other than relying on the firewall.

OK. That makes sense.

> Also note that the server can make the GET request be cached in the  
> browser which should make the overhead of a GET fairly low.

Actually, the HTTP-level cacheability of GET doesn't work here. The  
POST request to the URI invalidates the cached GET response, so when  
you are doing the next POST, the GET response should no longer be in  
cache. (This is not currently true of Firefox, but that's a bug:  
https://bugzilla.mozilla.org/show_bug.cgi?id=327765 )

Therefore, with GET you'd need to maintain an access-control method  
authorization cache independently of the HTTP caching of the GET  
response. And at that point, you might as well maintain an access- 
control method authorization cache for information obtained via OPTIONS.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Saturday, 6 October 2007 09:45:18 UTC