- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sat, 02 Feb 2008 17:24:59 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>
Hi All, Starting a new thread on this since I want to only talk about the requirements and problems we're trying to solve first. Before getting involved in discussing the various solutions. We have received a number of comments saying that the policy enforcement point (PEP) should be the server rather than the client. First I'd like to note that some of the enforcement will always have to live in the client. The client is already today what enforces the same-origin policy. If you open a HTML resource from another site in an <iframe>, or a PNG resource from another site in an <img>, the network request will always happen, but the client is what stops other sites from reading the data. Second, the argument has been brought up that server side PEP is more flexible. However the current access-control spec allows both server-side and client side filtering, so all the flexibility of server side PEP should already be there. If that is not the case, please explain exactly what flexibility is lacking in the current proposal. Third, people has been bringing up security concerns with client side PEP. If you are concerned about client side PEP, please elaborate on exactly what attacks you are worried about in the current proposal. In short, if you have concerns about the ability to do client side PEP, please describe in detail those concerns. Don't jump directly to alternative solutions. Best Regards, Jonas Sicking
Received on Sunday, 3 February 2008 01:25:27 UTC