Re: Feedback on Access Control

On Tue, 22 Jan 2008 23:14:26 +0100, Mark Nottingham <>  
> On 22/01/2008, at 8:59 PM, Anne van Kesteren wrote:
>> On Tue, 22 Jan 2008 04:56:52 +0100, Mark Nottingham <
>>> [...] Separate from the server-side vs. client-side policy enforcement  
>>> issue (which I'm not bringing up here explicitly, since it's an open  
>>> issue AFAICT, although the WG doesn't link to its issues list from its  
>>> home page), the Working Group needs to motivate the decision to have  
>>> access control policy only apply on a per-resource basis, rather than  
>>> per resource tree, or site-wide.
>> It's not an open issue.
> Let's have one, then. The W3C has already solved the problem of site- 
> wide metadata once, and there should be *some* reason for taking a  
> different path this time.

Actually, we have an open issue on this one and it's proposed for closing  
as we have per resource policy requirement.

>>> Overall, this approach doesn't seem well-integrated into the Web, or  
>>> even friendly to it; it's more of a hack, which is puzzling, since it  
>>> requires clients to change anyway.
>> I don't really understand this. Changing clients is cheap compared to  
>> changing all the servers out there.
> Spoken like a true browser vendor. The thing is, it's not necessary to  
> change all of the servers; anyone who's sufficiently motivated to  
> publish cross-site data can get their server updated, modified, or move  
> to a new one easily. OTOH they have *no* power to update their users'  
> browsers (unless they're in an especially iron-fisted enterprise IT  
> environment, and even then...).

We need updates of browsers anyway. Otherwise cross-site XMLHttpRequest  
will not work. Also, I still don't understand your comment correctly.

>> Multi-user hosts already need filtering. Otherwise they could simply  
>> load a page from the same domain with a different path in an <iframe>  
>> or something and do the request from there. The security model of the  
>> Web is based around domains. How unfortunate or fortunate that may be.
> Yes; it's still worth pointing this out for the uninitiated.

Can you propose some text?

Anne van Kesteren

Received on Tuesday, 22 January 2008 22:47:27 UTC