Re: [access-control] non-GET threat model and authorization choreography from Anne van Kesteren on 2007-10-09 (public-appformats@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 09 Oct 2007 14:15:28 +0200
To: "Thomas Roessler" <tlr@w3.org>
Cc: "Henri Sivonen" <hsivonen@iki.fi>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <op.tzxiz2rl64w2qv@annevk-t60.oslo.opera.com>

On Tue, 09 Oct 2007 14:02:47 +0200, Thomas Roessler <tlr@w3.org> wrote:
> How is 4 any different from saying "use HTTP caching"?  (I might
> missing the point here...)

The scenario is like this:

   1. Script does a POST request to http://example.org/foo
   2. Script does a POST request to http://example.org/foo

This results in the following:

   1. UA does GET access request check to http://example.org/foo
   2. UA does POST access request to http://example.org/foo
   3. UA does GET access request check to http://example.org/foo
   4. UA does POST access request to http://example.org/foo

The user agent does 3 because the HTTP cache for http://exmaple.org/foo is  
invalidated at 2 (because of the POST). We want a way to override this for  
access request checks so you don't have to an actual access request check  
for each request to the same resource. This would allow:

   1. UA does GET access request check to http://example.org/foo
   2. UA does POST access request to http://example.org/foo
   3. UA does POST access request to http://example.org/foo

My previous post illustrated some solutions to this problem.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 9 October 2007 12:15:41 UTC