Protecting resources

This post is for Mark Sheldon: Last summer I wrote this memo on “resource protection” (access control, sort of) on the web. It resembles a brief summary of Tyler Close’s paper ACLs don’t and was input to the W3C TAG (technical architecture group)’s consideration of a draft from the W3C web apps working group on cross-origin requests (basically, the problem of preventing attacks on web page B when web content from A accesses content from B). Later in 2009, Tyler and Mark Miller published “Uniform Messaging Policy“. The conversation continues in the web apps WG.