W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Feedback on Access Control

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 24 Jan 2008 00:30:01 +0100
To: "Mark Nottingham" <mnot@yahoo-inc.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t5eowbln64w2qv@annevk-t60.oslo.opera.com>

On Wed, 23 Jan 2008 22:17:36 +0100, Mark Nottingham <mnot@yahoo-inc.com>  
> BTW, I understand the motivation for this now that OPTIONS is used, but  
> you still have a clock sync problem.

Race conditions are already covered by the specification. Authors are  
advised to check to the Referer-Root header to prevent such issues from  

> Also, HTTP caches won't be able to exploit this. I'm thinking especially  
> of HTTP accelerators (e.g., Akamai); OPTIONS traffic is going to create  
> a lot of undesirable back-end communication for them, until they come up  
> with a workaround. My main concern is that different intermediaries are  
> going to come up with different strategies for caching OPTIONS results.

OPTIONS is part of the traffic that is non-static. I'm not sure how much  
you can optimize that by using HTTP accelerators. Again though, the idea  
is that the request reaches the server and that the server specifies an  
HTTP-date indicating how long the policy is valid.

Anne van Kesteren
Received on Wednesday, 23 January 2008 23:26:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC