On Thu, 10 Jan 2008, Brad Porter wrote: > > I wonder to some extent if this entire debate could be addressed by > including functionality in the access-control specification that would > allow the server to also perform the validation if it choose? A > solution where both the browser and the server are enforcing the policy > may ultimately be the strongest. This would enable webmasters to feel > like they have some control, but also prevent the browser vendors for > being blamed when webservers accidentally expose all their data by > improperly implementing the server-side gate.
There already is a server-side gate. The server ultimately controls what headers and PIs are sent back on a per-response basis; you can treat the current specification as a purely server-side model that just happens to have a syntactically complicated handshake. I agree with all your other comments regarding the need for the option of providing a static declaration of policy. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
