On Tue, 18 Dec 2007 21:09:13 +0100, Doyle, Bill <[EMAIL PROTECTED]> wrote:
## Sorry I was not clear. The Web Server needs to be able to control
its IA boundary. In your description and reply the client provides the
protection.
The Web server could simply refuse to handle requests that have a
Referer-Root HTTP header in them.
I understand that the 3rd party can restrict access. The requirement
is for the web server to have a mechanism (i.e. configuration setting or
other type of control) that allows or disallows access control for
cross-site requests and the web server has the ability to restrict
3rd party access to settings that are controlled by the web server.
What exactly makes you think this is not possible?
## Please explain how this is possible.
You could simply deny to handle requests with a Referer-Root HTTP header.
Issue is that the web server owner looses Information Assurance (IA)
control, this is an issue for my customers. IA control cannot be
handed over to a 3rd party. For my customers, the web server owners
need to
manage the IA settings.
Do you have a more concrete scenario that illustrates this? I'm not
sure I follow.
## Draft notes that the client becomes the Policy Decision Point, the
IA boundary of the server is extended to include the client.
Yes, but the mechanism is opt-in, so only if the Web server allows this it
would take part. Otherwise everything will work exactly like it does now.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
