- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 9 Dec 2009 18:10:31 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
On Wed, 9 Dec 2009, Tyler Close wrote: > On Wed, Dec 9, 2009 at 7:43 AM, Ian Hickson <ian@hixie.ch> wrote: > > Ok, let's move on to a more complex case. > > > > Consider a static resource that is protected by a cookie authentication > > mechanism. For example, a per-user static feed updated daily on some > > server by some automated process. The server is accessible on the public > > Web. The administrator of this service has agreements with numerous > > trusted sites, let's say a dozen sites, which are allowed to fetch this > > file using XHR (assuming the user is already logged in). The sites that > > fetch this file do not require authentication (e.g. one could be my portal > > page, which is just a static HTML page, without any server-side script). > > Other sites must not be allowed access to the file. > > > > How does one configure the server to handle this case? > > Again going with the simplest thing that could possibly work: > > Each of the per-user static feeds is referenced by a unique > unguessable URL of the same format used in the previous example. For > example, > > https://example.com/user123/?s=42tjiyrvnbpoal > https://example.com/user456/?s=sdfher34nvl34 > ... > > Again, a GET response from such a URL carries the same-origin opt-out > header. > > The user gives this URL only to those services he wants to access the > feed. For example, you could copy this URL into your personal static > HTML page that acts as your portal. I think asking users to pass around secret tokens is a non-starter. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 December 2009 18:11:08 UTC