Re: Access Control for Cross-site Requests WD Published from mike amundsen on 2008-02-15 (public-appformats@w3.org from February 2008)

From: mike amundsen <mca@amundsen.com>
Date: Fri, 15 Feb 2008 12:23:48 -0500
To: "Kris Zyp" <kzyp@sitepen.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>, "Anne van Kesteren" <annevk@opera.com>
Message-ID: <b548df650802150923q2c32c4b7s66565e2d8125ff88@mail.gmail.com>

I agree w/ Kris:

Limiting HTTP headers is a real problem. I see no reason for this.
Certainly not for security reasons.

On Fri, Feb 15, 2008 at 11:14 AM, Kris Zyp <kzyp@sitepen.com> wrote:
>
>  A couple comments:
>
>  1. Why for non same-origin requests, are users limited to only setting
>  "Accept" and "Accept-Language" HTTP headers. Couldn't we allow a larger set
>  of safe headers to be included? At least one could define a prefixed set of
>  allowable headers (like users could set headers "Cross-*"). This seems an
>  excessive restraint and prevents some very useful functionality.
>
>  2. Can non-GET access only be granted as a response to user agent OPTION
>  requests? Is there a reason that servers can't preemptively include access
>  control headers (including policy path and max age) in GET responses to
>  grant future non-GET request? Since most non-GET requests will probably be
>  preceded by GET requests, it seems like user agents could more efficiently
>  determine access level if prior responses explicity granted access. Of
>  course, using the OPTION requests as outlined in the WD would still be
>  appropriate if prior responses (if any) had not granted access.
>
>  This second question is not a big deal, the first one is more important to
>  me. I am sorry if this already been discussed, I couldn't find anything such
>  discussions in the archives.
>
>  Thanks,
>  Kris
>
>
>
>  ----- Original Message -----
>  From: "Anne van Kesteren" <annevk@opera.com>
>  To: "WAF WG (public)" <public-appformats@w3.org>
>  Sent: Friday, February 15, 2008 7:37 AM
>  Subject: Access Control for Cross-site Requests WD Published
>
>
>  >
>  > Hi all,
>  >
>  > The WAF WG published a new snapshot of the editor's draft of Access
>  > Control for Cross-site Requests yesterday in the W3C Technical Report
>  > space. It includes recent HTTP header name changes and incorporates a new
>  > proposal for limiting the amount of requests in case of non-GET methods to
>  > various different URIs which share the same origin.
>  >
>  > In addition to those technical changes it also makes the (until now)
>  > implicit requirements and use cases explicit by listing them in an
>  > appendix and contains a short FAQ on design decisions.
>  >
>  >   http://www.w3.org/TR/2008/WD-access-control-20080214/
>  >
>  > We expect the next draft to go to Last Call so hereby we're soliciting
>  > input, once again, from the Forms WG, HTML WG, HTTP WG, TAG, Web API WG,
>  > and Web Security Context WG. (All on the "bcc list" so we don't get
>  > massive cross-list e-mailing.)
>  >
>  > We appreciate input from anyone however, so feel free to forward or reply
>  > to this e-mail as you see fit.
>  >
>  > Kind regards,
>  >
>  >
>  > --
>  > Anne van Kesteren
>  > <http://annevankesteren.nl/>
>  > <http://www.opera.com/>
>  >
>  >
>
>
>



-- 
mca
http://amundsen.com/blog/

Received on Sunday, 17 February 2008 17:18:34 UTC