Re: Feedback on Access Control

On Thu, 24 Jan 2008, Mark Nottingham wrote:
> On 24/01/2008, at 10:30 AM, Anne van Kesteren wrote:
> > On Wed, 23 Jan 2008 22:17:36 +0100, Mark Nottingham <mnot@yahoo-inc.com>
> > wrote:
> > >
> > > BTW, I understand the motivation for this now that OPTIONS is used, 
> > > but you still have a clock sync problem.
> > 
> > Race conditions are already covered by the specification. Authors are 
> > advised to check to the Referer-Root header to prevent such issues 
> > from occuring.
> 
> I didn't say it was a race condition, Anne. Consider a naive 
> implementation that use a local clock to determine when the policy 
> expires; e.g., if it expires at 1pm, and the local clock is incorrectly 
> indicating that it's 12:30pm, the implementation will see an expired 
> policy and be unable to fetch a valid one. This can be avoided by using 
> an offset from the Date header, but you need to specify that.
> 
> Another (probably better, based upon experience with caching) approach 
> would be to use a delta rather than a http-date.

Yeah, I agree that having the header just have a number of seconds would 
be better than having an HTTP date.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 24 January 2008 01:12:16 UTC