- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Tue, 15 Jan 2008 15:24:06 +1100
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "David Orchard" <dorchard@bea.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote: > How does the WAF WG want to receive feedback on the use cases and > requirements document? Via adhoc emails on this list? > > One thing that strikes me immediately is that there are requirements > about XSS (cross-site scripting) but no mention of CSRF, which is > one of the concern areas from the folks at OpenAjax Alliance, > primarliy due to the current specification saying that cookies will > be sent. > +1 From what I understand, the response to this concern is usually "that horse has already bolted." For the record, while I understand this sentiment, I personally don't think it's a good excuse to open the door wider. Cheers, > > > Jon > > > <graycol.gif>"David Orchard" <dorchard@bea.com> > > > "David Orchard" <dorchard@bea.com> > Sent by: public-appformats-request@w3.org > 01/08/2008 04:04 PM > > <ecblank.gif> > To > <ecblank.gif> > "WAF WG (public)" <public-appformats@w3.org> > <ecblank.gif> > cc > <ecblank.gif> > <ecblank.gif> > Subject > <ecblank.gif> > ISSUE 19: Requirements and Usage Scenarios document > <ecblank.gif> > <ecblank.gif> > > Art suggested that I could do a bit of spec grunt work on > requirements document so I put some pen to paper. I've made a stab > at creating a requirements/usage scenarios document based upon Ian's > requirements. I've checked it into the waf access-control cvs dir, > but I don't think I have permissions to make the files world > readable. Hence, I've sent to www-archive at http://lists.w3.org/Archives/Public/www-archive/2008Jan/0010.html > The HTML is at http://lists.w3.org/Archives/Public/www-archive/2008Jan/att-0010/AccessControl-Requirements-20070108.html > > I hope this helps the working group and I'm glad to continue or not > continue work on the document as the WG sees fit. > > Cheers, > Dave > -- Mark Nottingham mnot@yahoo-inc.com
Received on Tuesday, 15 January 2008 04:24:44 UTC