On Tue, 22 Jan 2008 23:14:26 +0100, Mark Nottingham <[EMAIL PROTECTED]>
wrote:
On 22/01/2008, at 8:59 PM, Anne van Kesteren wrote:
On Tue, 22 Jan 2008 04:56:52 +0100, Mark Nottingham <[EMAIL PROTECTED]
[...] Separate from the server-side vs. client-side policy enforcement
issue (which I'm not bringing up here explicitly, since it's an open
issue AFAICT, although the WG doesn't link to its issues list from its
home page), the Working Group needs to motivate the decision to have
access control policy only apply on a per-resource basis, rather than
per resource tree, or site-wide.
It's not an open issue.
Let's have one, then. The W3C has already solved the problem of site-
wide metadata once, and there should be *some* reason for taking a
different path this time.
Actually, we have an open issue on this one and it's proposed for closing
as we have per resource policy requirement.
Overall, this approach doesn't seem well-integrated into the Web, or
even friendly to it; it's more of a hack, which is puzzling, since it
requires clients to change anyway.
I don't really understand this. Changing clients is cheap compared to
changing all the servers out there.
Spoken like a true browser vendor. The thing is, it's not necessary to
change all of the servers; anyone who's sufficiently motivated to
publish cross-site data can get their server updated, modified, or move
to a new one easily. OTOH they have *no* power to update their users'
browsers (unless they're in an especially iron-fisted enterprise IT
environment, and even then...).
We need updates of browsers anyway. Otherwise cross-site XMLHttpRequest
will not work. Also, I still don't understand your comment correctly.
Multi-user hosts already need filtering. Otherwise they could simply
load a page from the same domain with a different path in an <iframe>
or something and do the request from there. The security model of the
Web is based around domains. How unfortunate or fortunate that may be.
Yes; it's still worth pointing this out for the uninitiated.
Can you propose some text?
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
