W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Comments on: Access Control for Cross-site Requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 02 Jan 2008 16:58:43 -0800
Message-ID: <477C3343.6050603@sicking.cc>
To: "Close, Tyler J." <tyler.close@hp.com>
CC: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, "public-appformats@w3.org" <public-appformats@w3.org>

Close, Tyler J. wrote:
>> Sadly it is in many cases far easier for server-side authors
>> to negotiate
>> changes on the client side than it is for them to get their own server
>> administration team to change configurations.
> I suspect this goes back to our discussion on how to think about the 40% market share commanded by IE6.

So one way to look at it is that we're always going to require a new UA 
in order to get support for access-control. If you in addition are going 
to require additional server support you are for sure going to increase 
the deployment time.

>> I don't really understand what you think the current model
>> can't do that
>> your proposals can.
> Just "be simple". We only needed the client and server to agree on a
 > single bit: "Do you understand the Referer-Root header?" Yet somehow,
 > we've ended up with an entire policy language with both positive and
 > negative statements.

I agree "be simple" is a very worthy goal. Especially for security 
features like these. But I believe the strategy "make it as simple as 
possible, but no simpler" also applies here. If we only support 
server-side checking, we're completely removing the ability to put 
cross-site reachable resources on servers where the author does not have 
the access (or ability) to configure the server or write cgi scripts.

/ Jonas
Received on Thursday, 3 January 2008 00:59:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC