W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

On Requirement 9 and "deny"

From: Thomas Roessler <tlr@w3.org>
Date: Wed, 30 Jan 2008 23:07:17 +0100
To: public-appformats@w3.org
Message-ID: <20080130220717.GA19228@iCoaster.does-not-exist.org>

I believe that this is the current wording of requirement 9:

    <sicking> i'd be ok with "Must not require that the server
    filters the entity body of the resource in order to deny
    cross-site access to all resources on the server"
(From the minutes.)

It occurs to me that the current specification assumes that all
cross-site requests have a Referer-Root header set.  That suggests
that a configuration step as common as denying any requests with a
particular header would enough to fulfill this requirement, without
actually relying upon the policy mechanism itself.

In fact, for the kind of use case that this requirment seems to have
in mind (somebody screwed up badly during policy authoring), that
strategy would most likely be the one a sane administrator would
take.  Otherwise, there would be a risk that the insane policy comes
with a bad Method-Check-Expires HTTP header.

Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 30 January 2008 22:07:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC