- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Tue, 8 Jan 2008 11:38:28 +1100
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: David Orchard <dorchard@bea.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Personally, I think that both the access control draft as it sits and JSONRequest are short-term workarounds (all right, hacks), while your solution feels like a longer-term solution. I'd also like to see the constraints documented, but I'm not as willing to move on quite yet; while there may be a place for short-term workarounds, that doesn't mean we need to settle for them. Cheers, On 08/01/2008, at 10:45 AM, Close, Tyler J. wrote: > > Hi Dave, > > Thanks for the encouragement. > > I'ld like to get the constraints nailed down before offering another > design. One possible interpretation of the conversation to date is > that the mechanism must work if the author has only the ability to > deposit a single file on the web server. That makes things pretty > tough. > > Given the resistance to changing the design of the XMLHttpRequest > proposal, and Jonas Sicking's comment that Firefox 3 will support > JSONRequest, I'm also strongly tempted to say "good enough" and move > on. > > --Tyler > >> -----Original Message----- >> From: David Orchard [mailto:dorchard@bea.com] >> Sent: Monday, January 07, 2008 3:31 PM >> To: Close, Tyler J. >> Cc: public-appformats@w3.org >> Subject: RE: Comments on: Access Control for Cross-site Requests >> >> >>> -----Original Message----- >>> From: public-appformats-request@w3.org >>> [mailto:public-appformats-request@w3.org] On Behalf Of >> Close, Tyler J. >>> Sent: Wednesday, January 02, 2008 5:57 PM >>> To: Ian Hickson >>> Cc: Jonas Sicking; Anne van Kesteren; public-appformats@w3.org >>> Subject: RE: Comments on: Access Control for Cross-site Requests >>> >> >> <snip/> >>> >>> (I still doubt the utility of these constraints, but >>> whatever, I'll play) >>> >>> --Tyler >>> >>> >> >> I personally haven't heard clear compelling evidence why >> client-side PEP >> is worth the complexity. By my read of the WG, I see a few folks for >> client-side PEP and a few folks interested in the server-side >> only PEP. >> I take the review of the Security Context WG very seriously. The >> fact >> that apparently, you, Doug Crockford, Jon F, Mark N, and others are >> concerned about this, perhaps the largest, part of the design gives >> me >> cause for serious concern. I think that if the Working Group members >> won't explore the server-side PEP design, then I think a number of WG >> members and non-members but interested parties would be grateful for >> design(s) that you choose to offer. I'm not sure that there is >> consensus in the WG for the client-side PEP approach given yours and >> others similar comments and I think that you've added some useful new >> information. >> >> Cheers, >> Dave >> > -- Mark Nottingham mnot@yahoo-inc.com
Received on Tuesday, 8 January 2008 00:39:04 UTC