On 09/01/2008, at 9:38 AM, Brad Porter wrote:
In particular, moving to server-based access-control requires:
a) browsers to provide verifiable REFERER, unique user, or other
equivalent identity information
I don't follow this. It requires data to be provided by the browser
(Referer-Root in the current proposal), but it doesn't require it to
be verifiable, any more than you require the client's application of
the policy to be verifiable.
If anything, I'd imagine the server-side model to be more attractive
to the corporate IT department, because it requires so much less of
the browser (where so many security bugs have originated, and
something entirely outside their ability to fix).
--
Mark Nottingham [EMAIL PROTECTED]
