On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <[EMAIL PROTECTED]> wrote:
Not sure how the web server protects itself - "site should be protected from any other requests until it grants access"
Per the current policy in place the Web server FOO.COM is protected by the client not allowing a site on BAR.COM to retrieve information from FOO.COM. A site on BAR.COM can already issue a GET request to FOO.COM using <img>, <script>, etc. This same GET request is used to allow cross-site exchange of information through an opt-in policy as defined by the draft.
I understand that the 3rd party can restrict access. The requirement is for the web server to have a mechanism (i.e. configuration setting or other type of control) that allows or disallows access control for cross-site requests and the web server has the ability to restrict 3rd party access to settings that are controlled by the web server.
What exactly makes you think this is not possible?
Issue is that the web server owner looses Information Assurance (IA) control, this is an issue for my customers. IA control cannot be handed over to a 3rd party. For my customers, the web server owners need to manage the IA settings.
Do you have a more concrete scenario that illustrates this? I'm not sure I follow.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
