W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Comments on: Access Control for Cross-site Requests

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Tue, 8 Jan 2008 11:38:28 +1100
Cc: David Orchard <dorchard@bea.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-Id: <32C0C429-35D2-45FE-97F3-4D01303FB7CA@yahoo-inc.com>
To: "Close, Tyler J." <tyler.close@hp.com>

Personally, I think that both the access control draft as it sits and  
JSONRequest are short-term workarounds (all right, hacks), while your  
solution feels like a longer-term solution. I'd also like to see the  
constraints documented, but I'm not as willing to move on quite yet;  
while there may be a place for short-term workarounds, that doesn't  
mean we need to settle for them.


On 08/01/2008, at 10:45 AM, Close, Tyler J. wrote:

> Hi Dave,
> Thanks for the encouragement.
> I'ld like to get the constraints nailed down before offering another  
> design. One possible interpretation of the conversation to date is  
> that the mechanism must work if the author has only the ability to  
> deposit a single file on the web server. That makes things pretty  
> tough.
> Given the resistance to changing the design of the XMLHttpRequest  
> proposal, and Jonas Sicking's comment that Firefox 3 will support  
> JSONRequest, I'm also strongly tempted to say "good enough" and move  
> on.
> --Tyler
>> -----Original Message-----
>> From: David Orchard [mailto:dorchard@bea.com]
>> Sent: Monday, January 07, 2008 3:31 PM
>> To: Close, Tyler J.
>> Cc: public-appformats@w3.org
>> Subject: RE: Comments on: Access Control for Cross-site Requests
>>> -----Original Message-----
>>> From: public-appformats-request@w3.org
>>> [mailto:public-appformats-request@w3.org] On Behalf Of
>> Close, Tyler J.
>>> Sent: Wednesday, January 02, 2008 5:57 PM
>>> To: Ian Hickson
>>> Cc: Jonas Sicking; Anne van Kesteren; public-appformats@w3.org
>>> Subject: RE: Comments on: Access Control for Cross-site Requests
>> <snip/>
>>> (I still doubt the utility of these constraints, but
>>> whatever, I'll play)
>>> --Tyler
>> I personally haven't heard clear compelling evidence why
>> client-side PEP
>> is worth the complexity.  By my read of the WG, I see a few folks for
>> client-side PEP and a few folks interested in the server-side
>> only PEP.
>> I take the review of the Security Context WG very seriously.  The  
>> fact
>> that apparently, you, Doug Crockford, Jon F, Mark N, and others are
>> concerned about this, perhaps the largest, part of the design gives  
>> me
>> cause for serious concern.  I think that if the Working Group members
>> won't explore the server-side PEP design, then I think a number of WG
>> members and non-members but interested parties would be grateful for
>> design(s) that you choose to offer.  I'm not sure that there is
>> consensus in the WG for the client-side PEP approach given yours and
>> others similar comments and I think that you've added some useful new
>> information.
>> Cheers,
>> Dave

Mark Nottingham       mnot@yahoo-inc.com
Received on Tuesday, 8 January 2008 00:39:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC