W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Cross-site Requests and Custom HTTP Headers

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 20 Feb 2008 23:36:15 +0100
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t6ug2pld64w2qv@annevk-t60.oslo.opera.com>

I thought I'd outline my proposal for custom HTTP headers in a separate  
thread as the other threads had lots of noise. We change the cross-site  
request algorithm in the Access Control specification slightly to take a  
list of author provided HTTP headers. These author provided HTTP headers  
are filtered against a blacklist BL and then checked against a whitelist  
WL.

BL is the list of headers currently listed in the XMLHttpRequest  
specification under the setRequestHeader() algorithm with the addition of  
cookie and credentials headers.

WL is Accept, Accept-Language, and any other headers that we think fit  
here.

We also name the "cross-site GET access request" algorithm the "cross-site  
default access request" algorithm and the "cross-site non-GET access  
request" algorithm the "cross-site access request with preflight"  
algorithm. (Or something equivalent.)

Then if the desired request uses the HTTP GET method and checks positively  
against the whitelist WL (no other headers are included) the cross-site  
default access request algorithm is used. Otherwise the cross-site access  
request with preflight algorithm is used.

This means that cross-site GET requests with custom HTTP headers other  
than Accept and Accept-Language will also get a preflight (but are not  
prohibited) and that all the other HTTP methods will work as they do in  
the current proposal except that there header list is not restricted.

Thoughts welcome!


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 20 February 2008 22:31:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 February 2008 22:31:54 GMT