RE: Simplifying the AC spec from David Orchard on 2008-02-08 (public-appformats@w3.org from February 2008)

From: David Orchard <dorchard@bea.com>
Date: Fri, 8 Feb 2008 11:54:39 -0800
To: "Ian Hickson" <ian@hixie.ch>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E015FCB16@repbex01.amer.bea.com>

+1.  This all looks really good from a simplification perspective for
the current requirements.  

Cheers,
Dave
 

> -----Original Message-----
> From: public-appformats-request@w3.org 
> [mailto:public-appformats-request@w3.org] On Behalf Of Ian Hickson
> Sent: Friday, February 08, 2008 10:37 AM
> To: Jonas Sicking
> Cc: WAF WG (public)
> Subject: Re: Simplifying the AC spec
> 
> 
> On Fri, 8 Feb 2008, Jonas Sicking wrote:
> > 
> > I propose that we remove both the Method-Check header, and 
> the list of 
> > methods from the Access-Control header.
> 
> I support this.
> 
> 
> > Thomas Roessler pointed out that 1 is better solved by 
> simply stopping 
> > all requests that included a Referer-Root header. This 
> could be done 
> > on a server level and would also stop any cached OPTIONS 
> requests from 
> > making unsafe actions reach a CGI script. [Thus I propose 
> dropping the 
> > deny rules.]
> 
> I support that too.
> 
> 
> > I like this idea a lot. The only problem is that I'm 
> worried that the 
> > Referer-Root header might get picked up by other specs due to its 
> > usefulness and generic name. However if we specified that 
> Referer-Root 
> > should only ever be included in cross-site request, then 
> that should 
> > mitigate that problem. In fact, i've wanted to add a header for 
> > cross-site image and script loads to allow the server to 
> reject these 
> > more easily. (That would of course not be part of this spec).
> 
> I agree this this is a problem. I think if we remove the 
> "deny" rule and say that Referer-Root is the way to detect 
> third-party access, we should rename the header to be 
> absolutely clear as to what is going on.
> 
> I recommend the name Access-Control-Origin.
> 
> At this point it would make sense to rename the 
> Method-Check-* headers too. I recommend changing the 
> "Method-Check-" part to "Access-Control-", so that the headers are:
> 
>    On requests from a client:
>                   Access-Control-Origin
> 
>    On responses to OPTIONS when the policy is elsewhere:
>                   Access-Control-Policy-Path
> 
>    On all other responses:
>                   Access-Control
>                   Access-Control-Max-Age
>                   Access-Control-Policy-Path
> 
> -- 
> Ian Hickson               U+1047E                
> )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   
> _\  ;`._ ,.
> Things that are impossible just take longer.   
> `._.-(,_..'--(,_..'`-.;.'
> 
>

Received on Friday, 8 February 2008 19:55:07 UTC