Anne van Kesteren wrote:
On Tue, 18 Dec 2007 21:09:13 +0100, Doyle, Bill <[EMAIL PROTECTED]> wrote:
## Sorry I was not clear. The Web Server needs to be able to control
its IA boundary. In your description and reply the client provides the
protection.
The Web server could simply refuse to handle requests that have a
Referer-Root HTTP header in them.
I understand that the 3rd party can restrict access. The requirement
is for the web server to have a mechanism (i.e. configuration setting or
other type of control) that allows or disallows access control for
cross-site requests and the web server has the ability to restrict
3rd party access to settings that are controlled by the web server.
What exactly makes you think this is not possible?
## Please explain how this is possible.
You could simply deny to handle requests with a Referer-Root HTTP header.
Actually, I'm not sure we should recommend this. I wouldn't be surprised
if the Referer-Root header will end up being used for other specs too in
the future. Especially given it's very generic name.
If we really want servers to do this, maybe we should name the header
AC-Referer-root instead?
The server could also simply not put any access-control headers or PIs
in any responses, that would have the same effect.
/ Jonas
