Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

* Jon Ferraiolo wrote:

It seems your confusion and your misplaced comments are the result of
your overly narrow focus on a small subset of the problem space "AC"
is supposed to address, and on making sites and services available to
third parties, rather than inadvertently exposing them. You regularily
reinforce your own confusion by using misleading terminology. E.g.:

>XDR has a similar approach where the server must opt-in by checking for
>XDomainRequest: 1 header in the request and returning
>XDomainRequestAllowed: 1 in the response.

Here you use "opt-in" without further qualification. Consider you re-
ceive a spam mail offering you the choice to receive additional spam
mail. The spammer might then also say people must opt-in by clicking
some link or whatever, but he would only tell half the story, since
you never opted into receiving any mail from him in the first place.

If you would escape the narrow little subset of features offered by
XDR and JSONRequest for a little while, it would be much easier for
you to see that the spammer, or in our case, the browser, can't just
send out the initial message hoping the server welcomes it, an opt-
in is required.

To put it this way: some people are trying to design a vehicle that
takes them from Iceland to Australia, and you tell them people should
only ride bicycles out of environmental considerations. There won't be
any agreement between you and those people until you stop talking about
bicycles, and start talking about whether to make the trip at all.

>I'm not sure what you are asking. Are you saying that we can't require
>existing servers to make changes in order to support cross-site requests?

Consider you reached a compromise and built a bicycle-powered ship.
Jonas' perspective is this: "Oh my god, an iceberg! We must change
course or we will all perish!" Your perspective is this: "Hey look,
an iceberg with cute little penguins! We must change course to
observe them more closely!" Superficially eiher problem requires a
course correction, but hidden under the surface is a big difference.

It may well be that for architectural or practical reasons you think
that the wrong problem is being solved here, that there should never
be cross site requests with non-trivial methods, with automatic state
management, standard authentication facilities and broad control over
headers and data formats, but running around screaming how the server
should have more pep and how you don't understand what everyone else
is talking about is not a good way to convey that.
Björn Höhrmann · ·
Weinh. Str. 22 · Telefon: +49(0)621/4309674 ·
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · 

Received on Thursday, 15 May 2008 15:23:09 UTC