Policy enforcement point

Hi All,

Starting a new thread on this since I want to only talk about the
requirements and problems we're trying to solve first. Before getting
involved in discussing the various solutions.

We have received a number of comments saying that the policy enforcement 
point (PEP) should be the server rather than the client.

First I'd like to note that some of the enforcement will always have to 
live in the client. The client is already today what enforces the 
same-origin policy. If you open a HTML resource from another site in an 
<iframe>, or a PNG resource from another site in an <img>, the network 
request will always happen, but the client is what stops other sites 
from reading the data.

Second, the argument has been brought up that server side PEP is more 
flexible. However the current access-control spec allows both 
server-side and client side filtering, so all the flexibility of server 
side PEP should already be there. If that is not the case, please 
explain exactly what flexibility is lacking in the current proposal.

Third, people has been bringing up security concerns with client side 
PEP. If you are concerned about client side PEP, please elaborate on 
exactly what attacks you are worried about in the current proposal.


In short, if you have concerns about the ability to do client side PEP, 
please describe in detail those concerns. Don't jump directly to 
alternative solutions.


Best Regards,
Jonas Sicking

Received on Sunday, 3 February 2008 01:25:27 UTC