Hi All,
Starting a new thread on this since I want to only talk about the
requirements and problems we're trying to solve first. Before getting
involved in discussing the various solutions.
We have received a number of comments saying that the policy enforcement
point (PEP) should be the server rather than the client.
First I'd like to note that some of the enforcement will always have to
live in the client. The client is already today what enforces the
same-origin policy. If you open a HTML resource from another site in an
<iframe>, or a PNG resource from another site in an <img>, the network
request will always happen, but the client is what stops other sites
from reading the data.
Second, the argument has been brought up that server side PEP is more
flexible. However the current access-control spec allows both
server-side and client side filtering, so all the flexibility of server
side PEP should already be there. If that is not the case, please
explain exactly what flexibility is lacking in the current proposal.
Third, people has been bringing up security concerns with client side
PEP. If you are concerned about client side PEP, please elaborate on
exactly what attacks you are worried about in the current proposal.
In short, if you have concerns about the ability to do client side PEP,
please describe in detail those concerns. Don't jump directly to
alternative solutions.
Best Regards,
Jonas Sicking
