W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008


From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Fri, 11 Jan 2008 10:42:39 +1100
Cc: public-appformats@w3.org
Message-Id: <B359E36F-1397-40AF-B657-BBF93A9CDEAB@yahoo-inc.com>
To: Brad Porter <bwporter@yahoo.com>

On 09/01/2008, at 9:38 AM, Brad Porter wrote:

> In particular, moving to server-based access-control requires:
> a) browsers to provide verifiable REFERER, unique user, or other  
> equivalent identity information

I don't follow this. It requires data to be provided by the browser  
(Referer-Root in the current proposal), but it doesn't require it to  
be verifiable, any more than you require the client's application of  
the policy to be verifiable.

If anything, I'd imagine the server-side model to be more attractive  
to the corporate IT department, because it requires so much less of  
the browser (where so many security bugs have originated, and  
something entirely outside their ability to fix).

Mark Nottingham       mnot@yahoo-inc.com
Received on Thursday, 10 January 2008 23:42:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC