Re: Comments on: Access Control for Cross-site Requests

(Finally catching up on WG mail after the new year's break.)

On 2008-01-03 09:54:29 +0100, Anne van Kesteren wrote:

> On Thu, 03 Jan 2008 02:26:57 +0100, Mark Nottingham <> 

>> Has the working group gained consensus on this requirements list and 
>> documented it?

> As far as I can tell the Working Group has always worked with these 
> constraints in mind, but we never put them in a document.

For the record, there was a lengthy discussion at the technical
plenary that, I believe, there is no final agreement on the "no
server implementation effort" requirement.

Also, among these requirements, "server ultimately controls access"
is *very* ambiguous.

To begin with, the distinction between a cross-site access to a
resource and a first-party access to that resource is one that,
ultimately, only the client can make.  Therefore, any enforcement
mechanism *will* trust the client with a critical piece of
information, whether that mechanism performs computation on the
server or on the client.  One can draw different conclusions from
this, depending on what part of the overall complexity one wants to
keep down.

Further, for GET, the protection goal is controlling a data flow
that is opened up *within* the client (and is currently blocked).

For POST and other methods, avoiding spontaneous requests seems to
have crept in as well.  As I said before, I'm very doubtful how
useful that is as a protection goal any more -- I think that horse
has left the barn, quite some time ago.

Thomas Roessler, W3C  <>

Received on Tuesday, 8 January 2008 23:16:35 UTC