W3C home > Mailing lists > Public > www-tag@w3.org > January 2008

Access Control (was: Re: Meeting record for TAG Telcon: 10th Jan 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Jan 2008 16:39:10 +0100
To: www-tag@w3.org
Message-ID: <op.t404fkm264w2qv@annevk-t60.oslo.opera.com>


Being the editor of the discussed Access Control for Cross-site Requests  
specification I thought I'd reply to a few of the points made. Also, the  
latest draft, design decision FAQ, and use cases can be found at the  
following locations:

  * http://dev.w3.org/2006/waf/access-control/
  * http://annevankesteren.nl/temp/access-control-faq
  * http://annevankesteren.nl/temp/access-control-use-cases

On Wed, 16 Jan 2008 16:04:06 +0100, Williams, Stuart (HP Labs, Bristol)  
<skw@hp.com> wrote:
>    [DO:] ... it's a bit awkward to collaborate on this work, because it  
> comes
>    up just occasionally between weeks of discussion of XBL2 etc.

There's hardly any discussion on Access Control because it is considered  
to be mostly done. I actually haven't seen that much discussion of XBL  
either which is also mostly done (though contrary to Access Control it is  
at CR-level). The only thing that has changed to Access Control over the  
year is some changes to syntax. The model has pretty much stayed the same  
for over one and a half year. Much of the changes had to do with  
integrating an XMLHttpRequest specific extension which is described here


into the Access Control specification. Most of the discussion (there  
wasn't much) centered around minor details and editorial fix up.

>    DO: much of this browser sandbox stuff is obscure; a colleague of
>    mine at BEA is an expert in related security work but is struggling
>    to get up to speed in this context

HTML 5 will define the security policies you're referring to here. They  
indeed make the Web complex.

>    HT: I'm sympathetic to the difficulty of writing this access control
>    spec while the browser sandbox model is obscure

I'm happy to answer questions regarding the effective Web security model.  
(Though I don't claim to have all the details.)

>    DO: while much of this is process/editorial, the choice of GET [as
>    opposed to OPTIONs or HEAD] is technical and architectural

We're using OPTIONS now as it turned out that server support is better  
than it was a year ago when we started this work. I'm not sure if Firefox  
is already updated to reflect this.

Anne van Kesteren
Received on Wednesday, 16 January 2008 15:36:16 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:55 UTC