- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 03 Feb 2008 21:08:36 -0800
- To: public-appformats@w3.org
Thomas Roessler wrote: > I believe that this is the current wording of requirement 9: > > <sicking> i'd be ok with "Must not require that the server > filters the entity body of the resource in order to deny > cross-site access to all resources on the server" > > (From the minutes.) > > It occurs to me that the current specification assumes that all > cross-site requests have a Referer-Root header set. That suggests > that a configuration step as common as denying any requests with a > particular header would enough to fulfill this requirement, without > actually relying upon the policy mechanism itself. > > In fact, for the kind of use case that this requirment seems to have > in mind (somebody screwed up badly during policy authoring), that > strategy would most likely be the one a sane administrator would > take. Otherwise, there would be a risk that the insane policy comes > with a bad Method-Check-Expires HTTP header. Yes. I still stand by the formulation of the requirement though. The use case you described "somebody screwed up badly during policy authoring" is the one I am worried about so any solution that fits that is ok with me. I.e. I think we should nail down the requirement as stated above, and then discuss the solutions that can fit it. / Jonas
Received on Monday, 4 February 2008 05:09:08 UTC