- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 30 Jan 2008 23:07:17 +0100
- To: public-appformats@w3.org
I believe that this is the current wording of requirement 9:
<sicking> i'd be ok with "Must not require that the server
filters the entity body of the resource in order to deny
cross-site access to all resources on the server"
(From the minutes.)
It occurs to me that the current specification assumes that all
cross-site requests have a Referer-Root header set. That suggests
that a configuration step as common as denying any requests with a
particular header would enough to fulfill this requirement, without
actually relying upon the policy mechanism itself.
In fact, for the kind of use case that this requirment seems to have
in mind (somebody screwed up badly during policy authoring), that
strategy would most likely be the one a sane administrator would
take. Otherwise, there would be a risk that the insane policy comes
with a bad Method-Check-Expires HTTP header.
--
Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 30 January 2008 22:07:23 UTC