- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Tue, 5 Feb 2008 15:57:30 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>
Comments: * "It should not be possible to perform cross-site non-safe operations, i.e., HTTP operations except for GET, HEAD, and OPTIONS, without a method check requestbeing performed." -- this specifies a solution in the requirements. * "Must be deployable to IIS and Apache without requiring actions by the server administrator in a configuration where the user can upload static files, run serverside scripts (such as PHP, ASP, and CGI), control HTTP headers, and control authorization, but only do this for URIs under a given set of subdirectories on the server." This is incredibly specific; neither p3p.xml nor robots.txt supports the last condition, and yet that hasn't stopped their deployment. This also isn't motivated by any of the use cases. I dispute that this is a real requirement. * "It should be possible to issue methods other than GET to the server, such as POST and DELETE." Add to this: "The solution must not unduly penalise use of methods other than GET, e.g., with performance degradation. Likewise, it must not penalise use of a particular style of URI, or the use of a large number of URIs." -- Mark Nottingham mnot@yahoo-inc.com
Received on Tuesday, 5 February 2008 23:57:54 UTC