W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Comments on: Access Control for Cross-site Requests

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Thu, 3 Jan 2008 12:26:57 +1100
Cc: "Close, Tyler J." <tyler.close@hp.com>, Anne van Kesteren <annevk@opera.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-Id: <6F368655-FBC3-4B3F-A6AD-50F2B4466959@yahoo-inc.com>
To: Ian Hickson <ian@hixie.ch>

On 03/01/2008, at 11:58 AM, Ian Hickson wrote:
> No, we need more than that.
> We need something that (in no particular order):
> * introduces no new XSS attack vectors when a user changes client,
>   assuming the client is conforming to the new spec
> * introduces no new XSS attack vectors when an author changes server,
>   assuming the server is conforming to the new spec
> * can be implemented without changing the actual server software
> * can be used to provide files for cross-domain access via GET without
>   scripting of any kind of the server side
> * can be configured on a per-resource basis
> * can be configured without coordination with the main site  
> administrator
> * does not introduce the risk of caches inadvertently allowing access
>   when it should not be allowed
> * leaves the control in the hand of the server
> The currently proposed solution achieves all of this, by making the  
> server
> make the decision, but requiring that the decision be conveyed using a
> handshake that explicitly reports the decision, and making that  
> handshake
> expressive enough that it can be precomputed and stored within the
> resource itself, allowing it to be used without server-side scripting.
> Your proposals so far have only achieved simplicity by not  
> addressing some
> of the other requirements.

Has the working group gained consensus on this requirements list and  
documented it?

Mark Nottingham       mnot@yahoo-inc.com
Received on Thursday, 3 January 2008 01:27:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC