- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 14 May 2008 17:20:17 -0700
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Jon Ferraiolo wrote: > Sorry for beating a dead horse, but IMO the policy manager (i.e., the > software that decides whether to allow a request to go through, aka the > PEP) shouldn't be on the client anyway. The client should just make > cross-domain requests and the server should enforce which requests are > allowed to go through. Instead of the server delegating to the client > the responsibility for only allowing certain requests (e.g., only to > /api/*), the server should itself take responsibility for permitting or > denying requests. I don't understand at all what you are proposing. If we allow the client to always POST cross domain the damage is already done and we have lost already. We can't make existing already deployed servers to start dealing with this new spec. Please elaborate in more detail. > (JSONRequest in contrast has no client-side mechanisms > for deciding which requests should be allowed or denied and assumes that > any such logic would be on the server.) JSONRequest always allows cross-site POSTs, I.e. it always allows the thing we are trying to prevent. / Jonas
Received on Thursday, 15 May 2008 00:21:43 UTC