Re: review of http://dev.w3.org/2006/waf/access-control/#requirements from Jonas Sicking on 2008-02-06 (public-appformats@w3.org from February 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 05 Feb 2008 17:43:14 -0800
To: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <47A910B2.5@sicking.cc>

Mark Nottingham wrote:
> 
> Comments:
> 
> * "It should not be possible to perform cross-site non-safe operations, 
> i.e., HTTP operations except for GET, HEAD, and OPTIONS, without a 
> method check requestbeing performed." -- this specifies a solution in 
> the requirements.

I agree the link should be removed. And I guess saying "without first 
checking that the server is ok with this" might be more generic wording?

> * "Must be deployable to IIS and Apache without requiring actions by the 
> server administrator in a configuration where the user can upload static 
> files, run serverside scripts (such as PHP, ASP, and CGI), control HTTP 
> headers, and control authorization, but only do this for URIs under a 
> given set of subdirectories on the server." This is incredibly specific; 
> neither p3p.xml nor robots.txt supports the last condition, and yet that 
> hasn't stopped their deployment. This also isn't motivated by any of the 
> use cases. I dispute that this is a real requirement.

Unfortunately the part of being specific was requested. I would have 
much rather said that it should be deployable in typical server 
configurations.

Regarding only being able to control responses under certain 
directories, I think this is a pretty common setup. That's the 
configuration we used at my university where I could only control 
resources under /~e97_jsi, and it's the case at work where I can only 
control resources under /~sicking.

> * "It should be possible to issue methods other than GET to the server, 
> such as POST and DELETE." Add to this: "The solution must not unduly 
> penalise use of methods other than GET, e.g., with performance 
> degradation. Likewise, it must not penalise use of a particular style of 
> URI, or the use of a large number of URIs."

Sounds good to me. The only thing is that it sounds like it's ok to 
penalize GET requests. Maybe instead adding a new requirement:

The solution must not unduly penalise cross-site requests with 
performance degradation. Likewise, it must not unduly penalise use of a 
particular style of URI, or the use of a large number of URIs.

/ Jonas

Received on Wednesday, 6 February 2008 01:45:20 UTC