ISSUE-10 (client-server): Client and Server model [Access Control]
ISSUE-10 (client-server): Client and Server model [Access Control] http://www.w3.org/2008/webapps/track/issues/ Raised by: Arthur Barstow On product: Access Control [[ This issue was created on 2008-01-04 as Issue #20 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database: http://www.w3.org/2005/06/tracker/waf/issues/20 ]] Issues have been raised regarding client (i.e. browser) versus server aspects of the model. For example, would it better and simple for the policy enforcement point to be the server rather than the client, etc. On 20 December 2007, Tyler Close raised this issue via: http://lists.w3.org/Archives/Public/public-appformats/2007Dec/0054.html There were several relevant follow-ups, including but not limited to: http://lists.w3.org/Archives/Public/public-appformats/2007Dec/0068.html http://lists.w3.org/Archives/Public/public-appformats/2007Dec/0071.html http://lists.w3.org/Archives/Public/public-appformats/2008Jan/.html http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0004.html http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0010.html http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0018.html http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0032.html Related issues were also raised on 5 November 2007 during WG's f2f meeting that included members of the Web Security Context WG and the XML Security Spec Maintenance WG: http://www.w3.org/2007/11/05-waf-minutes.html#item09
Re: ISSUE-10 (client-server): Client and Server model [Access Control]
I don't think we have seen any alternative proposals for putting the policy *enforcement* on the server. It also seems very hard to me to rely on the server enforcing the policy, while still protecting legacy servers, since they currently do not perform any such enforcement. What I have seen suggestions for though is a simpler policy language that doesn't send a full white-list to the client, but rather just a yes/no decision to the client. / Jonas
Re: ISSUE-10 (client-server): Client and Server model [Access Control]
On Mon, Jun 23, 2008 at 2:35 PM, Jonas Sicking [EMAIL PROTECTED] wrote: What I have seen suggestions for though is a simpler policy language that doesn't send a full white-list to the client, but rather just a yes/no decision to the client. If we go this route, we should be careful about caching of HTTP responses, especially for GET requests. We don't want clients to use cached yes responses without consulting the server. Adam