Thomas Roessler wrote:
I believe that this is the current wording of requirement 9:
<sicking> i'd be ok with "Must not require that the server
filters the entity body of the resource in order to deny
cross-site access to all resources on the server"
(From the minutes.)
It occurs to me that the current specification assumes that all
cross-site requests have a Referer-Root header set. That suggests
that a configuration step as common as denying any requests with a
particular header would enough to fulfill this requirement, without
actually relying upon the policy mechanism itself.
In fact, for the kind of use case that this requirment seems to have
in mind (somebody screwed up badly during policy authoring), that
strategy would most likely be the one a sane administrator would
take. Otherwise, there would be a risk that the insane policy comes
with a bad Method-Check-Expires HTTP header.
Yes. I still stand by the formulation of the requirement though. The use
case you described "somebody screwed up badly during policy authoring"
is the one I am worried about so any solution that fits that is ok with
me. I.e. I think we should nail down the requirement as stated above,
and then discuss the solutions that can fit it.
/ Jonas
