Re: Feedback on Access Control from Anne van Kesteren on 2008-01-22 (public-appformats@w3.org from January 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 22 Jan 2008 23:50:59 +0100
To: "Mark Nottingham" <mnot@yahoo-inc.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t5cse9u764w2qv@annevk-t60.oslo.opera.com>

On Tue, 22 Jan 2008 23:14:26 +0100, Mark Nottingham <mnot@yahoo-inc.com>  
wrote:
> On 22/01/2008, at 8:59 PM, Anne van Kesteren wrote:
>> On Tue, 22 Jan 2008 04:56:52 +0100, Mark Nottingham <mnot@yahoo-inc.com
>>> [...] Separate from the server-side vs. client-side policy enforcement  
>>> issue (which I'm not bringing up here explicitly, since it's an open  
>>> issue AFAICT, although the WG doesn't link to its issues list from its  
>>> home page), the Working Group needs to motivate the decision to have  
>>> access control policy only apply on a per-resource basis, rather than  
>>> per resource tree, or site-wide.
>>
>> It's not an open issue.
>
> Let's have one, then. The W3C has already solved the problem of site- 
> wide metadata once, and there should be *some* reason for taking a  
> different path this time.

Actually, we have an open issue on this one and it's proposed for closing  
as we have per resource policy requirement.


>>> Overall, this approach doesn't seem well-integrated into the Web, or  
>>> even friendly to it; it's more of a hack, which is puzzling, since it  
>>> requires clients to change anyway.
>>
>> I don't really understand this. Changing clients is cheap compared to  
>> changing all the servers out there.
>
> Spoken like a true browser vendor. The thing is, it's not necessary to  
> change all of the servers; anyone who's sufficiently motivated to  
> publish cross-site data can get their server updated, modified, or move  
> to a new one easily. OTOH they have *no* power to update their users'  
> browsers (unless they're in an especially iron-fisted enterprise IT  
> environment, and even then...).

We need updates of browsers anyway. Otherwise cross-site XMLHttpRequest  
will not work. Also, I still don't understand your comment correctly.


>> Multi-user hosts already need filtering. Otherwise they could simply  
>> load a page from the same domain with a different path in an <iframe>  
>> or something and do the request from there. The security model of the  
>> Web is based around domains. How unfortunate or fortunate that may be.
>
> Yes; it's still worth pointing this out for the uninitiated.

Can you propose some text?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 22 January 2008 22:47:27 UTC