W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Examining the 'no server modification' requirement

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 11 Jan 2008 11:03:07 +0000 (UTC)
To: Brad Porter <bwporter@yahoo.com>
Cc: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0801111059510.13181@hixie.dreamhostps.com>

On Thu, 10 Jan 2008, Brad Porter wrote:
> 
> I wonder to some extent if this entire debate could be addressed by 
> including functionality in the access-control specification that would 
> allow the server to also perform the validation if it choose?  A 
> solution where both the browser and the server are enforcing the policy 
> may ultimately be the strongest.  This would enable webmasters to feel 
> like they have some control, but also prevent the browser vendors for 
> being blamed when webservers accidentally expose all their data by 
> improperly implementing the server-side gate.

There already is a server-side gate. The server ultimately controls what 
headers and PIs are sent back on a per-response basis; you can treat the 
current specification as a purely server-side model that just happens to 
have a syntactically complicated handshake.


I agree with all your other comments regarding the need for the option of 
providing a static declaration of policy.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 11 January 2008 11:03:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC