Close, Tyler J. wrote:
Sadly it is in many cases far easier for server-side authors
to negotiate
changes on the client side than it is for them to get their own server
administration team to change configurations.
I suspect this goes back to our discussion on how to think about the 40% market
share commanded by IE6.
So one way to look at it is that we're always going to require a new UA
in order to get support for access-control. If you in addition are going
to require additional server support you are for sure going to increase
the deployment time.
I don't really understand what you think the current model
can't do that
your proposals can.
Just "be simple". We only needed the client and server to agree on a
> single bit: "Do you understand the Referer-Root header?" Yet somehow,
> we've ended up with an entire policy language with both positive and
> negative statements.
I agree "be simple" is a very worthy goal. Especially for security
features like these. But I believe the strategy "make it as simple as
possible, but no simpler" also applies here. If we only support
server-side checking, we're completely removing the ability to put
cross-site reachable resources on servers where the author does not have
the access (or ability) to configure the server or write cgi scripts.
/ Jonas
