[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Tyler Close
tyler.close at gmail.com
Tue Sep 27 15:15:39 UTC 2005
Hi Justin,
On 9/27/05, Justin Chapweske <justin at chapweske.com> wrote:
> Based on your description, such as a system wouldn't work very well due
> to leaks from referrers, logging, and other systems that don't mind
> communicating about visited URLs.
These URLs are https URLs and so won't be leaked in HTTP Referer
headers. Since they are communicated over an SSL connection, logging
is only possible at the server and client machines. The processes at
either end of the SSL connection are necessarily trusted with
authority over the identified resource, since the resource is located
at the server, and controlled by the user.
The only remaining hurdle is that some endpoint processes are not
coded to safely handle such authority. A web browser configured to
relay every visited URL to a third party might be a problem, depending
on the third party. Obviously such snoopy software is also a problem
for sites that encode a session id in the URL.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/extensions/moreinfo.php?id=957
More information about the P2p-hackers
mailing list