Re: Review of http://www.w3.org/TR/2007/WD-access-control-20071126/

On Wed, 09 Jan 2008 16:50:14 +0100, Williams, Stuart (HP Labs, Bristol)  
<skw@hp.com> wrote:
> My reflection over the New Year break period is simply as follows:
>
> I think that AC decision should be made wrt to operation as a whole  
> (GET, PUT, POST, DELETE...) ie. given a permission to proceed with an  
> operation it should then be allowed to run to it's normal termination.  
> At spec'd at present, AC decisions are made on each 'phase' of a  
> two-phase operation - spliting state-changing operation in a way that  
> potential allows partial success and a 'split-horizon' view of the  
> outcome (one party thinks success the other is not allowed to find out).

To be clear, for GET this is not the case. That is the only HTTP method  
that goes straight through and where only a single check is performed  
(because cross-site GET is already possible and we only need to protect  
the return data).

The two checks for the other methods are different. The first check (on  
the preflight GET) is to determine whether we the user agent can send the  
request. The second check (on the actual request) is to determine whether  
the user agent can expose the entity body to the protocol it's dealing  
with (protocol being XMLHttpRequest for instance). In other words, the  
first is for sending and the second is for reading. In theory these could  
be different.


> So... on the purity side; I think the granularity of AC decisions should  
> be whole operations... and, as an aside, intentional language that  
> described the intended grain size is would be helpful whether or not you  
> agree with me over what that grain size should be.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 11 January 2008 11:15:47 UTC