- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 02 Jan 2008 16:58:43 -0800
- To: "Close, Tyler J." <tyler.close@hp.com>
- CC: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Close, Tyler J. wrote: >> Sadly it is in many cases far easier for server-side authors >> to negotiate >> changes on the client side than it is for them to get their own server >> administration team to change configurations. > > I suspect this goes back to our discussion on how to think about the 40% market share commanded by IE6. So one way to look at it is that we're always going to require a new UA in order to get support for access-control. If you in addition are going to require additional server support you are for sure going to increase the deployment time. >> I don't really understand what you think the current model >> can't do that >> your proposals can. > > Just "be simple". We only needed the client and server to agree on a > single bit: "Do you understand the Referer-Root header?" Yet somehow, > we've ended up with an entire policy language with both positive and > negative statements. I agree "be simple" is a very worthy goal. Especially for security features like these. But I believe the strategy "make it as simple as possible, but no simpler" also applies here. If we only support server-side checking, we're completely removing the ability to put cross-site reachable resources on servers where the author does not have the access (or ability) to configure the server or write cgi scripts. / Jonas
Received on Thursday, 3 January 2008 00:59:04 UTC