Re: [access-control] non-GET threat model and authorization choreography from Anne van Kesteren on 2007-10-15 (public-appformats@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 15 Oct 2007 14:58:45 +0200
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tz8oz7av64w2qv@annevk-t60.oslo.opera.com>

On Fri, 12 Oct 2007 13:49:43 +0200, Mark Nottingham <mnot@yahoo-inc.com>  
wrote:
> Use a well-known location, like robots.txt, site maps, P3P and pretty  
> much every other site-wide metadata mechanism does things.
>
> Yes, it's ugly, yes it reserves part of URI space, and yes, it's not  
> terribly friendly to micro-sites. However, it is well-understood on all  
> sides, is widely deployed, scales well for complex interactions with  
> multiple resources, and is less likely to have surprises pop up.

This requires domain-wide organization where the access-control proposal  
is more focused on individual resources being available or not. I outlined  
my current idea below. I'm not sure yet how ot properly integrate it in  
the specification, but I'm looking into that.

For a non-GET access request you look up in the access method check cache  
whether you can make the desired non-GET to the URI. If the access method  
check cache doesn't have an entry for the given URI you make an access  
method check request to URI. An access method check request is a GET  
request that includes a Method-Check HTTP header that indicates the  
desired HTTP method. You do a match against the response Allow header  
method list and if there's a match (case-sensitive comparison as per HTTP)  
and the response also includes Access-Control / <?access-control?> stuff  
that allows access you do a subsequent request to the URI with the non-GET  
method.

If the response to the access method check request also includes an  
Method-Check-Expires HTTP header that is valid and contians an HTTP-date  
later than now the user agent appends an entry to the access method check  
cache for the URI with an expiry date as indicated by the  
Method-Check-Expires header. This entry contains all the Access-Control /  
<?access-control?> / Allow / Method-Check-Expires information so requests  
with a different Referer-Root can also benefit from it.

(The plan is to make the above story a bit more obvious once I've figured  
out how to organize the specification.)

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Monday, 15 October 2007 12:58:42 UTC