W3C home > Mailing lists > Public > public-appformats@w3.org > August 2007

[access-control] Access requests

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 01 Aug 2007 13:19:40 +0200
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.twdoe20r64w2qv@annevk-t60.oslo.opera.com>

I wrote up access requests as part of the access-control specification,  
but after thinking about it I think it makes more sense if specifications  
that use the access control mechanism, such as XMLHttpRequest, define how  
to perform the request exactly and that the access-control specification  
makes some requirements on such requests.

Here's what I came up with in not so formal language:

requests
  * need to include Referer-Root header (contains requesting URI)
  * need to handle redirects
  * need to handle network issues
  * redirects need to be cancelable (for XMLHttpRequest 2)

non-GET requests
  * need to make GET request first with If-Method-Allowed header set
  * for this GET request you need to store the URI after all redirects are  
made (final URI)
  * you need to perform an access check on the final URI
  * then make a non-GET request to the final URI

(For the non-GET requests the requests requirements still apply of course.)

Whether an access check is performed at the end of the request depends on  
the specification. For XMLHttpRequest it would be if the final URI is not  
a same-origin URI.

I think it makes sense to put guidelines regarding those requests in the  
access-control specification as well as to register the Referer-Root  
header and If-Method-Allowed header as part of that specification.

Any thoughts?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 1 August 2007 11:19:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:07 UTC