- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 05 Feb 2008 17:43:14 -0800
- To: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
Mark Nottingham wrote: > > Comments: > > * "It should not be possible to perform cross-site non-safe operations, > i.e., HTTP operations except for GET, HEAD, and OPTIONS, without a > method check requestbeing performed." -- this specifies a solution in > the requirements. I agree the link should be removed. And I guess saying "without first checking that the server is ok with this" might be more generic wording? > * "Must be deployable to IIS and Apache without requiring actions by the > server administrator in a configuration where the user can upload static > files, run serverside scripts (such as PHP, ASP, and CGI), control HTTP > headers, and control authorization, but only do this for URIs under a > given set of subdirectories on the server." This is incredibly specific; > neither p3p.xml nor robots.txt supports the last condition, and yet that > hasn't stopped their deployment. This also isn't motivated by any of the > use cases. I dispute that this is a real requirement. Unfortunately the part of being specific was requested. I would have much rather said that it should be deployable in typical server configurations. Regarding only being able to control responses under certain directories, I think this is a pretty common setup. That's the configuration we used at my university where I could only control resources under /~e97_jsi, and it's the case at work where I can only control resources under /~sicking. > * "It should be possible to issue methods other than GET to the server, > such as POST and DELETE." Add to this: "The solution must not unduly > penalise use of methods other than GET, e.g., with performance > degradation. Likewise, it must not penalise use of a particular style of > URI, or the use of a large number of URIs." Sounds good to me. The only thing is that it sounds like it's ok to penalize GET requests. Maybe instead adding a new requirement: The solution must not unduly penalise cross-site requests with performance degradation. Likewise, it must not unduly penalise use of a particular style of URI, or the use of a large number of URIs. / Jonas
Received on Wednesday, 6 February 2008 01:45:20 UTC