Re: Comments on: Access Control for Cross-site Requests

Mon, 07 Jan 2008 16:39:33 -0800
Personally, I think that both the access control draft as it sits and JSONRequest are short-term workarounds (all right, hacks), while your solution feels like a longer-term solution. I'd also like to see the constraints documented, but I'm not as willing to move on quite yet; while there may be a place for short-term workarounds, that doesn't mean we need to settle for them. 

Cheers,


On 08/01/2008, at 10:45 AM, Close, Tyler J. wrote:



Hi Dave,

Thanks for the encouragement.


I'ld like to get the constraints nailed down before offering another  
design. One possible interpretation of the conversation to date is  
that the mechanism must work if the author has only the ability to  
deposit a single file on the web server. That makes things pretty  
tough.



Given the resistance to changing the design of the XMLHttpRequest  
proposal, and Jonas Sicking's comment that Firefox 3 will support  
JSONRequest, I'm also strongly tempted to say "good enough" and move  
on.


--Tyler


-----Original Message-----
From: David Orchard [mailto:[EMAIL PROTECTED]
Sent: Monday, January 07, 2008 3:31 PM
To: Close, Tyler J.
Cc: [email protected]
Subject: RE: Comments on: Access Control for Cross-site Requests



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of

Close, Tyler J.

Sent: Wednesday, January 02, 2008 5:57 PM
To: Ian Hickson
Cc: Jonas Sicking; Anne van Kesteren; [email protected]
Subject: RE: Comments on: Access Control for Cross-site Requests



<snip/>


(I still doubt the utility of these constraints, but
whatever, I'll play)

--Tyler




I personally haven't heard clear compelling evidence why
client-side PEP
is worth the complexity.  By my read of the WG, I see a few folks for
client-side PEP and a few folks interested in the server-side
only PEP.

I take the review of the Security Context WG very seriously.  The  
fact

that apparently, you, Doug Crockford, Jon F, Mark N, and others are

concerned about this, perhaps the largest, part of the design gives  
me

cause for serious concern.  I think that if the Working Group members
won't explore the server-side PEP design, then I think a number of WG
members and non-members but interested parties would be grateful for
design(s) that you choose to offer.  I'm not sure that there is
consensus in the WG for the client-side PEP approach given yours and
others similar comments and I think that you've added some useful new
information.

Cheers,
Dave





--
Mark Nottingham       [EMAIL PROTECTED]
































					Reply via email to