- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 20 Sep 2007 11:21:25 -0700
- To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: >> We would then like the document to indicate whether there are >> situations where implementation of the Read Access Control Policy >> mechanism would make a UA and the network to which it is attached any >> more vulnerable to >> attack. >> >> We think that the increased risk is probably small, but we believe >> that the document should present more analysis than it does at present. > > I tried making this more clear in the security section: > http://dev.w3.org/2006/waf/access-control/Overview.html#security We might want to mention that implementations should not allow other methods than GET, and not allow the user to specify username/password or http-headers in conjunction with this, without taking extra precaution to make sure that that is safe. I.e. XHR2 will allow other methods than GET, but only if the server opts-in to it. / Jonas
Received on Thursday, 20 September 2007 18:25:41 UTC