Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

* Jon Ferraiolo wrote:
>I didn't understand your logic with the spammer metaphor where the browser
>is the spammer sending unwanted initial requests to the server. A request
>goes to the server no matter whether we are talking about AC/XHR,
>JSONRequest or XDR. With AC/XHR, the browser sends a request (the spam) and
>the response comes back with either Access-Control header or (for XML) an
>Access-Control PI. With JSONRequest, the response is either an error or
>comes back with a Content-Type:application/jsonrequest header. With XDR,
>similar, except with a XDomainRequestAllowed:1. What am I missing?

>But cookies are just one small part of a bigger picture. My opinion is that
>it would be better to start off with an approach that is based on something
>like JSONRequest or XDR where policy management (i.e., allow/deny logic)
>happens on the server rather than the client, and where the starting point
>for discussion is a proposal that has been designed with security in mind
>from the beginning. ***THEN*** make adjustments to improve from this secure
>foundation to offer more flexibility and possibly even better security
>characteristics. For example, start with JSONRequest and transform it into
>something that include XML support, or start with XDR and transform it into
>something that offers an option to go beyond just GET and POST and allows
>for secure transmission of user credentials.
Björn Höhrmann · ·
Weinh. Str. 22 · Telefon: +49(0)621/4309674 ·
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · 

Received on Friday, 16 May 2008 01:39:28 UTC