Anne van Kesteren wrote: > On Thu, 07 Feb 2008 18:15:55 +0100, Close, Tyler J. > <[EMAIL PROTECTED]> > wrote: > > Sure, and there are even cases of sites that can safely process > > cross-domain non-GET requests. This WG is trying to create > a new way to > > do this, but the handling of accountability is... unclear. > > It's really up to the server to decide on that. Part of the reason the > server has to opt-in.
But the proposed protocol makes it impossible for the server to determine accountability using the status quo mechanism of user authentication cookies. The proposed protocol introduces a subtle security vulnerability into the web developer's toolbox and runs off saying: "It's your problem buddy!" > > Is the user or the Referer-Root site accountable for a cross-domain > > non-GET request? Does the proposed protocol make it possible for the > > site hosting the resource to correctly determine the answer to that > > question? > > Does > http://lists.w3.org/Archives/Public/public-appformats/2008Feb/ > 0077.html > help? No, it doesn't. Jonas Sicking wrote: > Another way to look at it is; if you host web pages on your > web server, who do you hold accountable today? The person > creating the webpage, or the person whose cookies or auth > credentials you receive. Today, a web resource that uses cookies to authenticate the source of a POST request typically holds the user accountable for that POST. That policy doesn't work for a cross-domain POST under the WG's current proposal. --Tyler
