W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: P3P - Feedback on Access Control

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 23 Jan 2008 17:25:17 -0800
Message-ID: <4797E8FD.80304@sicking.cc>
To: Ian Hickson <ian@hixie.ch>
CC: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>

Ian Hickson wrote:
> favicon.ico is a per-domain policy that is only available due to a legacy 
> proprietary extension; it causes untold problems (e.g. it doubles the load 
> on some of my sites due to bugs in how browsers cache 404 responses for 
> this resource), and it has per-resource ways of being specified instead 
> (including using HTTP headers).

FWIW, the favicon.ico problems I don't think really applies here. The 
reason that it adds a lot of load is that normal browsing on the site 
causes requests to favicon.ico, however access-control policy checks 
will only happen if someone explicitly makes a cross-site request
to your site. However there is no incentive for anyone to do so since 
such requests will fail.

Basically for the same reason you're not getting any 404s about any 
other random URI, i.e. there is no reason for anyone to request it, you 
wouldn't get any requests to an access-control magic-uri either.

That said, I do agree with your other points. And I don't see how we 
could use a magic-uri solution while still fulfilling requirement 3 in 
the ED.

/ Jonas
Received on Thursday, 24 January 2008 01:26:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC