Re: [access-control] Editorial comments on Requirements Appendix v1.137

On Wed, 23 Jan 2008, Jon Ferraiolo wrote:
> [...] isn't there a way to allow cross-site POST requests containing XML 
> data without providing an attack vector against SOAP servers? For 
> example, Access Control is required to send XML/SOAP data in a manner 
> that will not work against SOAP servers, such as prefixing some invalid 
> characters in front of the XML data?

That wouldn't be XML then... I don't think we want to effectively fork XML 
just for this.

> > 3. Req #4 - change to:
> >
> > [[
> > Must be able to easily deploy support for cross-site GET requests.
> > Additionally, should not have to use server-side scripting (such as
> > PHP, ASP, or CGI) in a typical server configuration.
> > ]]
> I disagree with this requirement. At least make it may or a should 
> instead of must.

For what it's worth, this requirement is pretty important for us (Google), 
and we would probably end up looking for another solution if the solution 
this working group comes up with doesn't address this need. Not that this 
should stop the working group from coming up with a solution that doesn't 
address this need; using something else would work fine for us too. It 
just would be more convenient if we could use the WAF's solution.

As an aside, I do agree that Art's suggested rewording is better than the 
current text.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 24 January 2008 00:58:58 UTC