On the architecture side, Access Control is just plain wrong, with the PEP
on the client instead of the server,
which requires data to be sent along the pipe to the client, where the
client is trusted to discard the data if the
user isn't allowed to see the data; it is just plain architecturall
Thomas Roessler <[EMAIL PROTECTED]> wrote on 04/14/2008 08:21:50 AM:
> On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote:
>
> > On the architecture side, Access Control is just plain wrong,
> > with the PEP on the client instead of the server, which requires
> > data to be sent along the pipe to
You do realise that with XDR, 'resource host' has no means to
authenticate the user using (relatively secure) HTTP digest
authentication?
I both realize and support XDR's decision to not transmit the user's HTTP
auth credentials. These credentials are semantically equivalent to the use
of co
On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote:
> On the architecture side, Access Control is just plain wrong,
> with the PEP on the client instead of the server, which requires
> data to be sent along the pipe to the client, where the client is
> trusted to discard the data if the user isn't
Subject
RE: What is Microsoft's intent with
Laurens Holst wrote:
> Close, Tyler J. schreef:
> > I've written several messages to the appformats mailing
> list. I suggest reading all of them. The most detailed
> description of the attacks are in the message at:
> >
> >
> http://www.w3.org/mid/C7B67062D31B9E459128006BAAD0DC3D074F8B65
> [EMAI
From web developer's perspective, the idea of having a completely divergent
API and technique for doing cross-site requests between browsers does not
seem beneficial. As much as possible I would hope that MS and CS-XHR can
converge. It seems like there are a number of differences that can be
Close, Tyler J. schreef:
I've written several messages to the appformats mailing list. I suggest reading
all of them. The most detailed description of the attacks are in the message at:
http://www.w3.org/mid/[EMAIL PROTECTED]
with a correction at:
http://www.w3.org/mid/[EMAIL PROTECTED]
You
"Close, Tyler J." <[EMAIL PROTECTED]>, 2008-04-02 23:52 +:
> I think the AC4CSR spec is a goner, and so appreciate Microsoft
> stepping up with a proposal that seems more likely to survive
> study and deployment. Given the Mozilla announcement, now seems
> like the right time to move on from t
Hi Tyler,
On Apr 2, 2008, at 6:08 PM, Close, Tyler J. wrote:
Maciej Stachowiak wrote:
On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
Sending the user's cookies, as AC4CSR does, is just not a viable
design, since the target resource cannot determine whether or not
the user consented t
On Thu, 3 Apr 2008, Close, Tyler J. wrote:
> Maciej Stachowiak wrote:
> >
> > Can you please post these examples again, or pointers to where you
> > posted them? I believe they have not been previously seen on the Web
> > API list.
>
> I've written several messages to the appformats mailing lis
Maciej Stachowiak wrote:
> On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
>
> >
> > Sending the user's cookies, as AC4CSR does, is just not a viable
> > design, since the target resource cannot determine whether or not
> > the user consented to the request. I've posted several explanations
>
On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
Sending the user's cookies, as AC4CSR does, is just not a viable
design, since the target resource cannot determine whether or not
the user consented to the request. I've posted several explanations
of the attacks enabled by this use of
Close, Tyler J. wrote:
I think Eric's point is that the client specified Content-Type header cannot
be trusted to accurately describe the content, so the server must parse the
content under the assumption that the header is misleading.
I don't think anyone is arguing about that.
There could
I think the XDR proposal is pretty good and is the best of the current
proposals to push forward to standardization. I hope Microsoft finds a way to
make that happen.
Some responses to Jonas' comments are inline below...
Jonas Sicking wrote:
> Eric Lawrence wrote:
> > Ian--
> >
> > Thanks for
t with XDR vis-à-vis W3C? [Was: Re: IE
Team's Proposal for Cross Site Requests]
Sunava Dutta <[EMAIL PROTECTED]> wrote:
> IE would like to propose XDR as a new (Rec-track) spec for the Web API WG.
Whatever you decide to do, please could you choose a different acronym, as
XDR is alre
Sunava Dutta <[EMAIL PROTECTED]> wrote:
> IE would like to propose XDR as a new (Rec-track) spec for the Web API WG.
Whatever you decide to do, please could you choose a different acronym, as
XDR is already used for encoding in RPC.
--
Stewart Brodie
Software Engineer
ANT Software Limited
Eric Lawrence wrote:
Ian--
Thanks for sharing your opinions. I'd like to take the opportunity to clarify
a few points of confusion.
<
I think you are misunderstanding the issues Ian has raised.
Since XDR does not let you set the Content-Type header, the server is in
fact required to sniff
On Wed, 26 Mar 2008, Eric Lawrence wrote (reformatted to follow Internet
standards for mail quoting):
> >
> > This is blatently untrue, a number of serious security problems with
> > XDR have already been raised (such as the fact that it encourages
> > content-type sniffing
>
> Vis-à-vis conte
pa; Doug
Stamper; Marc Silbey; David Ross; Nikhil Kothari
Subject: RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Was: Re: IE
Team's Proposal for Cross Site Requests]
Adding my team back on the thread...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTE
Sunava Dutta wrote:
IE would like to propose XDR as a new (Rec-track) spec for the Web API WG. We
think there is a place for both implementations within the charter of the Web
API. Here's a re-summary of why that I've extracted from our proposal and our
responses. For more details please refe
On Mar 26, 2008, at 14:36, Travis Leithead
<[EMAIL PROTECTED]> wrote:
I strongly object to the Web API working group adopting a proprietary
solution developed by one vendor with no external consultation,
when the
group has already spent several man-years' worth of time on a
technological
>I strongly object to the Web API working group adopting a proprietary
>solution developed by one vendor with no external consultation, when the
>group has already spent several man-years' worth of time on a
>technologically superior, safer, and more comprehensive solution that has
>as much implem
Adding my team back on the thread...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ian Hickson
Sent: Wednesday, March 26, 2008 2:22 PM
To: Web API WG (public); [EMAIL PROTECTED]
Subject: RE: What is Microsoft's intent with XDR vis-à-vis W3C? [Wa
On Wed, 26 Mar 2008, Sunava Dutta wrote:
>
> IE would like to propose XDR as a new (Rec-track) spec for the Web API
> WG. We think there is a place for both implementations within the
> charter of the Web API.
I think it would be very bad for the Web platform for there to be multiple
ways to a
rosoft's intent with XDR vis-à-vis W3C? [Was: Re: IE Team's
Proposal for Cross Site Requests]
[[ My apologies for the late response to this thread (I was OOO last
week). ]]
Sunava, All,
Would you please elaborate on Microsoft's intent with XDR with regard
to W3C? For example is it
[[ My apologies for the late response to this thread (I was OOO last
week). ]]
Sunava, All,
Would you please elaborate on Microsoft's intent with XDR with regard
to W3C? For example is it being proposed as a new (Rec-track) spec
for the Web API WG; is it a counter proposal for the WAF WG
27 matches
Mail list logo
