- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 08 Jul 2008 21:31:40 +0200
- To: "WebApps WG" <public-webapps@w3.org>
Hi, The WebApps WG had a F2F last week in Seattle. While I'm still a bit buzzed by the jet lag I managed to "finish" the work I started during the weekend on updating the Access Control for Cross-Site Requests (AC) specification to match resolutions and proposals made during the F2F meeting. The meeting logs of the F2F are not publicly available yet, but since the editor's draft is, I will summarize what I changed and depending on whether you trust me or not, you can infer from that what we decided upon... The draft is available at the same place as usual: http://dev.w3.org/2006/waf/access-control/ Here is what I changed: * <?access-control?> is dropped. Might return in AC2. * Access-Control is now Access-Control-Origin which takes * or a URL. In other words, whether or not a site grants access is simplified *a lot*. Implementors who told me this was the most complex part to implement can rejoice. This also makes this specification consistent with Web Sockets and postMessage(), both defined in HTML5. (Access-Control-Origin is not to be confused with the old Access-Control-Origin, which is now Origin.) * Access-Control-Credentials provides an opt in mechanism for credentials. Whether or not credentials are included in the request depends on the "credentials flag", which is set by a hosting specification. Preflight requests are always without credentials. * Four new headers are introduced to deal with headers and method opt in. Two request headers (set by the user agent): Access-Control-Request-Method and Access-Control-Request-Headers. And two response headers: Access-Control-Allow-Method and Access-Control-Allow-Headers. (The introduction of these headers also affected the preflight result cache.) * The HTTP header blacklist is gone as that is something that affects all hosting specifications, including same-origin requests, and therefore is inappropriate in a specification intended solely for non same-origin requests. * I've referenced HTML5 for several concepts which hopefully encourages code reuse in user agents and also makes sure that we don't have to change if HTML5 does. * An access control check is now also performed when the redirect steps are applied to prevent data leakage from intranet pages. So please review the changes made and the significant revisions to the processing model. Much appreciated. If you would like to review the CVS log entries you can do so here (changes since last time start at 1.178, "MASSIVE CHANGE"): http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.html Kind regards, -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 8 July 2008 19:32:14 UTC