W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: Feedback on Access Control

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 22 Jan 2008 19:58:10 +0000 (UTC)
To: Anne van Kesteren <annevk@opera.com>
Cc: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0801221956260.20219@hixie.dreamhostps.com>

On Tue, 22 Jan 2008, Anne van Kesteren wrote:
> >
> > Access-Control: allow <example.com> method GET
> > Access-Control: POST
> > Access-Control: PUT, DELETE, deny <example.org> method POST
> > Access-Control: GET
> > 
> > Will clients be able to parse this correctly? Please don't repeat the 
> > mistakes of the Set-Cookie header; this is very bad practice. It would 
> > be better to leverage existing syntax from other headers; e.g.,
> > 
> > Access-Control: allow="example.com"; method="GET POST PUT DELETE", 
> > deny="example.org"; method="POST GET"
> 
> Good point. Is the rest of the WG ok with changing this? Jonas?

Oops, I missed that when I read the spec.

I recommend just changing the #Method from being comma-separated to being 
space-separated, as in:

   Access-Control: allow <example.com> method GET PUT

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 22 January 2008 19:58:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 January 2008 19:58:24 GMT