ISSUE-14 (opt-into-methods-headers): Opting into methods/headers [Access Control] from Web Applications Working Group Issue Tracker on 2008-06-23 (public-webapps@w3.org from April to June 2008)

From: Web Applications Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 23 Jun 2008 19:41:52 +0000 (GMT)
To: public-webapps@w3.org
Message-Id: <20080623194152.4CAF95F74F@stu.w3.org>

ISSUE-14 (opt-into-methods-headers): Opting into methods/headers [Access Control]

http://www.w3.org/2008/webapps/track/issues/

Raised by: Anne van Kesteren
On product: Access Control

[[ This issue was created on 2008-06-06 as Issue #27 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database:
<http://www.w3.org/2005/06/tracker/waf/issues/27> ]]

The current Access Control model allows all methods to be used and all headers (apart from a blacklist and some headers require a preflight request in case of GET).

There is a proposal to only allow methods and headers the server has opted into:

 [AC] Helping server admins not making mistakes
 <http://lists.w3.org/Archives/Public/public-appformats/2008May/0034.html>

 This would make the server more secure by default when opting into Access Control.

The drawback is again that it makes the model more complicated and more prone to bugs.

Received on Monday, 23 June 2008 19:43:33 UTC