Re: [access-control] non-GET threat model and authorization choreography

* Anne van Kesteren wrote:
>In case of https to http Referer would not be set so the server would not  
>know where the request originated. Third-party software sometimes also  
>blocks Referer for privacy reasons (data hidden in path). There's no  
>Method-Name header. The Method-Check header is purely informational.  
>Servers could refuse access to clients based on lack of either  
>Referer-Root or Method-Check though. OPTIONS responses can't easily be  
>configured by authors as I understand it.

Then please remove the Method-Check header, it is not only unnecessary
but also confusing (you give the false impression servers can meaning-
fully respond differently depending on it and it complicate the proto-
col, for example, it is unclear what to do with Vary: Method-Check).

As for OPTIONS on specific resources, I am not sure what configuration
might be necessary. With an ordinary CGI script on an Apache server, I
can successfully issue a OPTIONS request without any configuration, and
the response will include Allow and Access-Control headers just as I
specify them in the script. What configurations did you have in mind?

You didn't say why the processing instruction needs to be processed,
could you elaborate on that?

I don't understand your point about Referer-Root. What would I have to
do with the Referer-Root header's value on the server to ensure that
the access check completes successfully as intended? If servers never
need to process it, then clients cannot be required to disclose this
information.

If there are cases where servers need to know, why can't they use some
other method to get hold of the information, e.g. by configuring the
server so that only http://provider.example/user/ can be accessed from
http://user.example/? If they can do that, it seems the header should
be removed aswell.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

Received on Monday, 15 October 2007 17:51:54 UTC