- From: Kendall Clark <kendall@monkeyfist.com>
- Date: Wed, 18 Jan 2006 09:45:49 -0500
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-rdf-dawg-comments@w3.org, Rigo Wenning <rigo@w3.org>
On Jan 18, 2006, at 4:12 AM, Thomas Roessler wrote: > On 2006-01-17 16:59:54 -0500, Kendall Clark wrote: > >> The latest version (http://www.w3.org/2001/sw/DataAccess/proto-wd/ >> #policy) of the editor's draft now reads (in relevant part): >> >> Since a SPARQL protocol service may make HTTP requests of other >> origin servers on behalf of its clients, it may be used as a vector >> of attacks against other sites or services. Thus, SPARQL protocol >> services may effectively act as proxies for third-party clients. Such >> services may place restrictions on the resources that they retrieve >> or on the rate at which external resources can be retrieved. SPARQL >> protocol services may log client requests in such a way as to >> facilitate tracing them with regard to third-party origin servers or >> services. >> >> Does this satisfy yr concerns? > > Yes, this is better. You could also state the obvious and note > that SPARQL services may place restrictions on the resources > that they can access on behalf of their clients. The spec says that in two different ways in two places (See QueryRequestRefused and the 3rd sentence of 3.1 Security.) > (Incidentally, is the protocol able to report this condition > [don't want to access a resource] back to the client?) Not that specifically, no. It can say QueryRequestRefused as a WSDL fault, and it can return any HTTP status code, but I don't know of any HTTP status code that's on-point here. It would be a status code used by proxies, and I think they typically just pass back a 404. The WG has the option to define a WSDL fault specifically for this purpose -- say, RdfDatasetError -- but it has not chosen to do so. Cheers, Kendall Clark
Received on Wednesday, 18 January 2006 14:46:03 UTC