On 23/01/2008, at 9:50 AM, Anne van Kesteren wrote:
On Tue, 22 Jan 2008 23:14:26 +0100, Mark Nottingham <[EMAIL PROTECTED]
> wrote:
On 22/01/2008, at 8:59 PM, Anne van Kesteren wrote:
On Tue, 22 Jan 2008 04:56:52 +0100, Mark Nottingham <[EMAIL PROTECTED]
[...] Separate from the server-side vs. client-side policy
enforcement issue (which I'm not bringing up here explicitly,
since it's an open issue AFAICT, although the WG doesn't link to
its issues list from its home page), the Working Group needs to
motivate the decision to have access control policy only apply on
a per-resource basis, rather than per resource tree, or site-wide.
It's not an open issue.
Let's have one, then. The W3C has already solved the problem of
site-wide metadata once, and there should be *some* reason for
taking a different path this time.
Actually, we have an open issue on this one and it's proposed for
closing as we have per resource policy requirement.
Perhaps it would be good to get consensus on requirements first...
At any rate, take a look at P3P, which does allow per-resource policy.
Overall, this approach doesn't seem well-integrated into the Web,
or even friendly to it; it's more of a hack, which is puzzling,
since it requires clients to change anyway.
I don't really understand this. Changing clients is cheap compared
to changing all the servers out there.
Spoken like a true browser vendor. The thing is, it's not necessary
to change all of the servers; anyone who's sufficiently motivated
to publish cross-site data can get their server updated, modified,
or move to a new one easily. OTOH they have *no* power to update
their users' browsers (unless they're in an especially iron-fisted
enterprise IT environment, and even then...).
We need updates of browsers anyway. Otherwise cross-site
XMLHttpRequest will not work. Also, I still don't understand your
comment correctly.
I'm not sure what I can do to make it clearer.
Multi-user hosts already need filtering. Otherwise they could
simply load a page from the same domain with a different path in
an <iframe> or something and do the request from there. The
security model of the Web is based around domains. How unfortunate
or fortunate that may be.
Yes; it's still worth pointing this out for the uninitiated.
Can you propose some text?
In Security Considerations;
Because the granularity of access control is only per referring site,
authors sharing content with domains that host content for more than
one user (e.g., sites with user accounts, picture hosting sites,
"social networking" sites) should be aware that it is not possible to
selectively share content; if requests are allowed from a host, they
are allowed for all resources on that host.
--
Mark Nottingham [EMAIL PROTECTED]
