Re: Accountability in AC4CSR

Close, Tyler J. wrote:
> 
> Anne van Kesteren wrote:
>> On Wed, 06 Feb 2008 23:05:17 +0100, Close, Tyler J.
>> <tyler.close@hp.com>
>> wrote:
>>> What mechanism is the WG recommending for assigning
>> accountability for a
>>> cross-domain request? It seems some mechanism must be
>> recommended, since
>>> the WG has eliminated the status quo approach.
>> What is recommended for this for cross-site GET and POST today?
> 
> Today, browsers and sites cooperate to prevent cross-domain requests. This WG is proposing a mechanism for the two to agree on the exchange of cross-domain requests, but is doing so in a way that prevents use of the status quo mechanism for assigning accountability, as currently used for non-cross-domain requests.

You can today perform cross-site POST requests using normal HTML 
<form>s. This works much the same way.

Another way to look at it is; if you host web pages on your web server, 
who do you hold accountable today? The person creating the webpage, or 
the person whose cookies or auth credentials you receive.

/ Jonas

Received on Thursday, 7 February 2008 01:13:00 UTC