review of http://dev.w3.org/2006/waf/access-control/#requirements

Comments:

* "It should not be possible to perform cross-site non-safe  
operations, i.e., HTTP operations except for GET, HEAD, and OPTIONS,  
without a method check requestbeing performed." -- this specifies a  
solution in the requirements.

* "Must be deployable to IIS and Apache without requiring actions by  
the server administrator in a configuration where the user can upload  
static files, run serverside scripts (such as PHP, ASP, and CGI),  
control HTTP headers, and control authorization, but only do this for  
URIs under a given set of subdirectories on the server." This is  
incredibly specific; neither p3p.xml nor robots.txt supports the last  
condition, and yet that hasn't stopped their deployment. This also  
isn't motivated by any of the use cases. I dispute that this is a real  
requirement.

* "It should be possible to issue methods other than GET to the  
server, such as POST and DELETE." Add to this: "The solution must not  
unduly penalise use of methods other than GET, e.g., with performance  
degradation. Likewise, it must not penalise use of a particular style  
of URI, or the use of a large number of URIs."

--
Mark Nottingham       mnot@yahoo-inc.com

Received on Tuesday, 5 February 2008 23:57:54 UTC