Re: ISSUE 19: Requirements and Usage Scenarios document

On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote:

> How does the WAF WG want to receive feedback on the use cases and  
> requirements document? Via adhoc emails on this list?
>
> One thing that strikes me immediately is that there are requirements  
> about XSS (cross-site scripting) but no mention of CSRF, which is  
> one of the concern areas from the folks at OpenAjax Alliance,  
> primarliy due to the current specification saying that cookies will  
> be sent.
>
+1

 From what I understand, the response to this concern is usually "that  
horse has already bolted."

For the record, while I understand this sentiment, I personally don't  
think it's a good excuse to open the door wider.

Cheers,


>
>
> Jon
>
>
> <graycol.gif>"David Orchard" <dorchard@bea.com>
>
>
> "David Orchard" <dorchard@bea.com>
> Sent by: public-appformats-request@w3.org
> 01/08/2008 04:04 PM
>
> <ecblank.gif>
> To
> <ecblank.gif>
> "WAF WG (public)" <public-appformats@w3.org>
> <ecblank.gif>
> cc
> <ecblank.gif>
> <ecblank.gif>
> Subject
> <ecblank.gif>
> ISSUE 19: Requirements and Usage Scenarios document
> <ecblank.gif>
> <ecblank.gif>
>
> Art suggested that I could do a bit of spec grunt work on  
> requirements document so I put some pen to paper. I've made a stab  
> at creating a requirements/usage scenarios document based upon Ian's  
> requirements. I've checked it into the waf access-control cvs dir,  
> but I don't think I have permissions to make the files world  
> readable. Hence, I've sent to www-archive at http://lists.w3.org/Archives/Public/www-archive/2008Jan/0010.html
> The HTML is at http://lists.w3.org/Archives/Public/www-archive/2008Jan/att-0010/AccessControl-Requirements-20070108.html
>
> I hope this helps the working group and I'm glad to continue or not  
> continue work on the document as the WG sees fit.
>
> Cheers,
> Dave
>

--
Mark Nottingham       mnot@yahoo-inc.com

Received on Tuesday, 15 January 2008 04:24:44 UTC