W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Accountability in AC4CSR

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 14 Feb 2008 04:58:43 +0100
To: "Ian Hickson" <ian@hixie.ch>, "John Panzer" <jpanzer@acm.org>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t6hxb5a664w2qv@annevk-t60.oslo.opera.com> 

On Thu, 14 Feb 2008 00:36:05 +0100, Ian Hickson <ian@hixie.ch> wrote:
> On Wed, 13 Feb 2008, John Panzer wrote:
>> Some of today's APIs like Flickr put authorization evidence into URL
>> query parameters for CSR.  It's mildly bad to do this because such
>> things are more likely to get logged and sniffed than headers, and you
>> can't separate the resource URL from the authorization proof being
>> presented to use it, which would be useful in caching.
>
> Also agreed. That's one of the reasons that XMLHttpRequest + Access
> Control together let you set arbitrary extension headers.

This is currently not the case for XMLHttpRequest level 2. Based on  
feedback from Mozilla only Accept and Accept-Language can be set for  
cross-site requests.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 14 February 2008 03:54:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 14 February 2008 03:55:00 GMT