ACTION-158: Input for requirement 1.1

Here's a suggestion:

  The solution should not introduce additional attack vectors
  against services that are protected only by way of firewalls. This
  requirement ddresses "intranet" style services authorize any
  requests that can be sent to the service.

  Note that this requirement does not preclude HEAD, OPTIONS, or GET
  requests (even with ambient authentication and session

I would suggest to refrain from any further discussion of what is or
is not possible.

Thomas Roessler, W3C  <>

Received on Wednesday, 30 January 2008 21:40:26 UTC