Re: [access-control] header black list

Anne van Kesteren wrote:
> 
> On Tue, 17 Jun 2008 06:59:50 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> Block lists are unacceptable we all agree. The block list currently in
>> the spec really should be moved to the XMLHttpRequest Level 1 spec as
>> that is where the issue lies, not with the Access-Control spec.
> 
> Other host language implementations of Access Control that allow setting 
> of headers need the same kind of protection. That's why the header list 
> is there. Alternatively we could make it a requirement on the host 
> language implementation, e.g. XMLHttpRequest, to do this filtering, but 
> that would still require listing the headers in some way in the Access 
> Control specification.

These aren't headers that are dangerous in a cross-site environment, 
these are headers that are dangerous period. So any other spec that 
supports a sufficently large part of the HTTP spec would need to worry 
about them, whether it uses Access-Control or not.

> This applies to the CONNECT, TRACE, and TRACK verbs as well, but I've 
> not yet addressed that in the specification.

Same thing here.

Listing these headers and methods in the AC spec just results in a 
situation where specs can get out of sync. It seems much better to put 
the headers in the XHR spec for now, and if any other spec ends up with 
the same issues it can refer to the XHR spec.

Having it in the AC spec is only a source of confusion so far.

/ Jonas

Received on Tuesday, 17 June 2008 16:34:42 UTC