Re: Comments on: Access Control for Cross-site Requests

My conclusion after going through various standards efforts that there
tends to be a better end result when the working group takes some time at
the beginning to write down and gain consensus on a set of target use cases
(can be described briefly) and at least a general set of requirements. This
gets the working group on the same page and allows the public to provide
early feedback about whether the specification ultimately will deliver what
the community needs. When I studied the Access Control specification a
couple of months ago, I attempted to find things that even halfway
resembled use cases and requirements, couldn't find anything, and then
attempted to hazard a guess:


In terms of requirements, it is advisable to have a separate requirements
document (possibly including use cases) or a separate requirements section.
I have found that a good format for requirements is to use MUST/SHOULD/MAY
terminology where the new language MUST do this and the new language SHOULD
do that. For instance:

* The Access Control mechanism MUST not broaden the attack surface for
hackers, particularly with regard to CSRF
* The Access Control mechanism MUST be architected such that servers must
opt-in to the technology before their data can be accessed from a different
* The Access Control mechanism MUST enable retrieval of information from
other domains that allow such retrieval, and MAY enable posting data to
other domains.
* The Access Control mechanism MUST support popular data transmissions
formats, including both XML and JSON

I would very much like to see at least the addition of a use cases section
at the top of the specification, but it would be nice to also see a list of


             "Anne van                                                     
             <                                          To 
             >                         "Mark Nottingham"                   
             Sent by:                  <>, "Ian Hickson" 
             public-appformats         <>                      
                                       "Close, Tyler J."                   
             01/03/2008 12:54          ""          
             AM                        <>          
                                       Re: Comments on: Access Control for 
                                       Cross-site Requests                 

On Thu, 03 Jan 2008 02:26:57 +0100, Mark Nottingham <>
> Has the working group gained consensus on this requirements list and
> documented it?

As far as I can tell the Working Group has always worked with these
constraints in mind, but we never put them in a document.

Anne van Kesteren

Received on Thursday, 3 January 2008 15:19:51 UTC