On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote: > On the architecture side, Access Control is just plain wrong, > with the PEP on the client instead of the server, which requires > data to be sent along the pipe to the client, where the client is > trusted to discard the data if the user isn't allowed to see the > data; it is just plain architecturally wrong to transmit data > that is not meant to be seen.
This seems to confuse the attacker model a bit. It's not about the user not being permitted to see the data, it's about a web application from a different origin not being allowed to manipulate the data, even though the user is allowed to see the data. See this message: http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0290.html ... for a more detailed discussion of that topic, and some links. Regards, -- Thomas Roessler, W3C <[EMAIL PROTECTED]>