- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 16 May 2008 03:38:48 +0200
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
* Jon Ferraiolo wrote: >I didn't understand your logic with the spammer metaphor where the browser >is the spammer sending unwanted initial requests to the server. A request >goes to the server no matter whether we are talking about AC/XHR, >JSONRequest or XDR. With AC/XHR, the browser sends a request (the spam) and >the response comes back with either Access-Control header or (for XML) an >Access-Control PI. With JSONRequest, the response is either an error or >comes back with a Content-Type:application/jsonrequest header. With XDR, >similar, except with a XDomainRequestAllowed:1. What am I missing? >But cookies are just one small part of a bigger picture. My opinion is that >it would be better to start off with an approach that is based on something >like JSONRequest or XDR where policy management (i.e., allow/deny logic) >happens on the server rather than the client, and where the starting point >for discussion is a proposal that has been designed with security in mind >from the beginning. ***THEN*** make adjustments to improve from this secure >foundation to offer more flexibility and possibly even better security >characteristics. For example, start with JSONRequest and transform it into >something that include XML support, or start with XDR and transform it into >something that offers an option to go beyond just GET and POST and allows >for secure transmission of user credentials. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 16 May 2008 01:39:28 UTC