W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 19 Feb 2008 12:33:13 +0100
To: "Thomas Roessler" <tlr@w3.org>
Cc: "Mark Baker" <distobj@acm.org>, "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <op.t6rrpnub64w2qv@annevk-t60.oslo.opera.com> 

On Tue, 19 Feb 2008 12:23:04 +0100, Thomas Roessler <tlr@w3.org> wrote:
> On 2008-02-19 08:48:58 +0100, Anne van Kesteren wrote:
>> No, these are completely different cases. What you're referring
>> to is ok for same-origin requests and is what the same-origin
>> requests still allow. Non same-origin requests probably require a
>> different policy though.
>
> That's not obvious to me.  So far, the basic model is that (a)
> cross-origin requests are treated roughly the same as same-origin
> requests, but (b) require specific authorization for precisely that
> reason.  (See also the accountability thread.)

That only holds true for non-GET. See my other e-mail where I made a  
proposal on how to deal with this. (Though I haven't filled in the  
specifics yet.)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 19 February 2008 11:29:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 11:29:10 GMT