Re: Feedback on Access Control

On Wed, 23 Jan 2008 22:17:36 +0100, Mark Nottingham <>  
> BTW, I understand the motivation for this now that OPTIONS is used, but  
> you still have a clock sync problem.

Race conditions are already covered by the specification. Authors are  
advised to check to the Referer-Root header to prevent such issues from  

> Also, HTTP caches won't be able to exploit this. I'm thinking especially  
> of HTTP accelerators (e.g., Akamai); OPTIONS traffic is going to create  
> a lot of undesirable back-end communication for them, until they come up  
> with a workaround. My main concern is that different intermediaries are  
> going to come up with different strategies for caching OPTIONS results.

OPTIONS is part of the traffic that is non-static. I'm not sure how much  
you can optimize that by using HTTP accelerators. Again though, the idea  
is that the request reaches the server and that the server specifies an  
HTTP-date indicating how long the policy is valid.

Anne van Kesteren

Received on Wednesday, 23 January 2008 23:26:30 UTC