- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 7 Feb 2008 00:06:09 +0000
- To: "L. David Baron" <dbaron@dbaron.org>
- CC: "public-appformats@w3.org" <public-appformats@w3.org>
Hi David, L. David Baron wrote: > On Wednesday 2008-02-06 22:05 +0000, Close, Tyler J. wrote: > > One of the primary purposes of access control is correctly > > assigning accountability for actions. I think the current AC4CSR > > proposal creates subtle and perhaps unexpected consequences for an > > application's ability to correctly assign accountability. > > To me, the most important use case for being able to do cross-site > XMLHttpRequest is the ability to get to *public* resources. For > example, being able to do things like the Flickr API on the client, > without having to trust the API enough to let it inject script into > your page. This is already possible with things like the basic (map > display) part of the Google Maps API only because there aren't > cross-site restrictions on image loading (although the Google Maps > API doesn't actually work that way, presumably because it gives > Google more flexibility to change the servers). I think it's > extremely important that we ship something that allows this (i.e., > sites to relax the default cross-domain restrictions for some > resources) in Firefox 3. > > In what cases is accountability for actions needed for such > fully-public resources? It may not be, in which case the user authentication cookies are also not needed. So public resources could be safely accessed by a design that did not send user cookies with the cross-domain request. Sending the cookies creates the issue of how to handle accountability. --Tyler
Received on Thursday, 7 February 2008 00:07:35 UTC