Multi-user hosts already need filtering. Otherwise they could simply
load a page from the same domain with a different path in an <iframe>
or something and do the request from there. The security model of the
Web is based around domains. How unfortunate or fortunate that may be.
Yes; it's still worth pointing this out for the uninitiated.
Can you propose some text?
I wrote something down:
http://dev.w3.org/2006/waf/access-control/#design-decision-faq
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
