On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote:
How does the WAF WG want to receive feedback on the use cases and
requirements document? Via adhoc emails on this list?
One thing that strikes me immediately is that there are requirements
about XSS (cross-site scripting) but no mention of CSRF, which is
one of the concern areas from the folks at OpenAjax Alliance,
primarliy due to the current specification saying that cookies will
be sent.
+1
From what I understand, the response to this concern is usually "that
horse has already bolted."
For the record, while I understand this sentiment, I personally don't
think it's a good excuse to open the door wider.
Cheers,
Jon
<graycol.gif>"David Orchard" <[EMAIL PROTECTED]>
"David Orchard" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
01/08/2008 04:04 PM
<ecblank.gif>
To
<ecblank.gif>
"WAF WG (public)" <[email protected]>
<ecblank.gif>
cc
<ecblank.gif>
<ecblank.gif>
Subject
<ecblank.gif>
ISSUE 19: Requirements and Usage Scenarios document
<ecblank.gif>
<ecblank.gif>
Art suggested that I could do a bit of spec grunt work on
requirements document so I put some pen to paper. I've made a stab
at creating a requirements/usage scenarios document based upon Ian's
requirements. I've checked it into the waf access-control cvs dir,
but I don't think I have permissions to make the files world
readable. Hence, I've sent to www-archive at http://lists.w3.org/Archives/Public/www-archive/2008Jan/0010.html
The HTML is at
http://lists.w3.org/Archives/Public/www-archive/2008Jan/att-0010/AccessControl-Requirements-20070108.html
I hope this helps the working group and I'm glad to continue or not
continue work on the document as the WG sees fit.
Cheers,
Dave
--
Mark Nottingham [EMAIL PROTECTED]
