- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 9 Jan 2008 00:16:31 +0100
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Mark Nottingham <mnot@yahoo-inc.com>, Ian Hickson <ian@hixie.ch>, "Close, Tyler J." <tyler.close@hp.com>, "public-appformats@w3.org" <public-appformats@w3.org>
(Finally catching up on WG mail after the new year's break.) On 2008-01-03 09:54:29 +0100, Anne van Kesteren wrote: > On Thu, 03 Jan 2008 02:26:57 +0100, Mark Nottingham <mnot@yahoo-inc.com> >> Has the working group gained consensus on this requirements list and >> documented it? > As far as I can tell the Working Group has always worked with these > constraints in mind, but we never put them in a document. For the record, there was a lengthy discussion at the technical plenary that, I believe, there is no final agreement on the "no server implementation effort" requirement. Also, among these requirements, "server ultimately controls access" is *very* ambiguous. To begin with, the distinction between a cross-site access to a resource and a first-party access to that resource is one that, ultimately, only the client can make. Therefore, any enforcement mechanism *will* trust the client with a critical piece of information, whether that mechanism performs computation on the server or on the client. One can draw different conclusions from this, depending on what part of the overall complexity one wants to keep down. Further, for GET, the protection goal is controlling a data flow that is opened up *within* the client (and is currently blocked). For POST and other methods, avoiding spontaneous requests seems to have crept in as well. As I said before, I'm very doubtful how useful that is as a protection goal any more -- I think that horse has left the barn, quite some time ago. Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 8 January 2008 23:16:35 UTC