W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

[access-control] header black list

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 17 Jun 2008 15:40:53 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Sunava Dutta" <sunavad@windows.microsoft.com>
Cc: "Arthur Barstow" <art.barstow@nokia.com>, "Marc Silbey" <marcsil@windows.microsoft.com>, public-webapps <public-webapps@w3.org>, "Eric Lawrence" <ericlaw@exchange.microsoft.com>, "Chris Wilson" <Chris.Wilson@microsoft.com>, "David Ross" <dross@windows.microsoft.com>, "Mark Shlimovich (SWI)" <marksh@microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>, "Zhenbin Xu" <Zhenbin.Xu@microsoft.com>, "Michael Champion" <Michael.Champion@microsoft.com>
Message-ID: <op.ucwayfe364w2qv@annevk-t60.oslo.opera.com>

On Tue, 17 Jun 2008 06:59:50 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Block lists are unacceptable we all agree. The block list currently in
> the spec really should be moved to the XMLHttpRequest Level 1 spec as
> that is where the issue lies, not with the Access-Control spec.

Other host language implementations of Access Control that allow setting  
of headers need the same kind of protection. That's why the header list is  
there. Alternatively we could make it a requirement on the host language  
implementation, e.g. XMLHttpRequest, to do this filtering, but that would  
still require listing the headers in some way in the Access Control  

This applies to the CONNECT, TRACE, and TRACK verbs as well, but I've not  
yet addressed that in the specification.

Anne van Kesteren
Received on Tuesday, 17 June 2008 13:41:35 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:10 UTC