Access Control (was: Re: Meeting record for TAG Telcon: 10th Jan 2008) from Anne van Kesteren on 2008-01-16 (www-tag@w3.org from January 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Jan 2008 16:39:10 +0100
To: www-tag@w3.org
Message-ID: <op.t404fkm264w2qv@annevk-t60.oslo.opera.com>

Hi,

Being the editor of the discussed Access Control for Cross-site Requests  
specification I thought I'd reply to a few of the points made. Also, the  
latest draft, design decision FAQ, and use cases can be found at the  
following locations:

  * http://dev.w3.org/2006/waf/access-control/
  * http://annevankesteren.nl/temp/access-control-faq
  * http://annevankesteren.nl/temp/access-control-use-cases

On Wed, 16 Jan 2008 16:04:06 +0100, Williams, Stuart (HP Labs, Bristol)  
<skw@hp.com> wrote:
>    [DO:] ... it's a bit awkward to collaborate on this work, because it  
> comes
>    up just occasionally between weeks of discussion of XBL2 etc.

There's hardly any discussion on Access Control because it is considered  
to be mostly done. I actually haven't seen that much discussion of XBL  
either which is also mostly done (though contrary to Access Control it is  
at CR-level). The only thing that has changed to Access Control over the  
year is some changes to syntax. The model has pretty much stayed the same  
for over one and a half year. Much of the changes had to do with  
integrating an XMLHttpRequest specific extension which is described here

http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012.html

into the Access Control specification. Most of the discussion (there  
wasn't much) centered around minor details and editorial fix up.

>    DO: much of this browser sandbox stuff is obscure; a colleague of
>    mine at BEA is an expert in related security work but is struggling
>    to get up to speed in this context

HTML 5 will define the security policies you're referring to here. They  
indeed make the Web complex.

>    HT: I'm sympathetic to the difficulty of writing this access control
>    spec while the browser sandbox model is obscure

I'm happy to answer questions regarding the effective Web security model.  
(Though I don't claim to have all the details.)

>    DO: while much of this is process/editorial, the choice of GET [as
>    opposed to OPTIONs or HEAD] is technical and architectural

We're using OPTIONS now as it turned out that server support is better  
than it was a year ago when we started this work. I'm not sure if Firefox  
is already updated to reflect this.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 16 January 2008 15:36:16 UTC