W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

[access-control] Issue list

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 08 Jul 2008 21:41:35 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.udznnlmx64w2qv@annevk-t60.oslo.opera.com>


It's not really clear to me what process this Working Group uses for  
closing issues, so I'll summarize here what I think that status is of the  
issues reported for the Access Control for Cross-Site Requests  


  * ISSUE-10 - There needs to be opt in on the server side and the client  
side also needs changing. It's not clear to me what this issue is about.  
(And hasn't been since it was raised...)

  * ISSUE-11 - Not sure what to do about this issue either.

  * ISSUE-12 - Access-Control-Policy-Path is gone until someone can propose  
a model that works.

  * ISSUE-13 - You now need to opt in to exposing credential specific  
content using a specific header.

  * ISSUE-14 - Header and method opt in is now part of the specification.

  * ISSUE-24 - Exactly three headers are part of the access control simple  
request header whitelist: Accept, Accept-Language, and Content-Type.  
Requiring a preflight for anything else does not seem like a high burden  
to me, although we might want to allow Last-Event-ID too for HTML5.

  * ISSUE-25 - If you want to revoke rights, or empty the cache, simply  
reply without an Access-Control-Origin header or an Access-Control-Origin  
header that contains a value that indicates the site is no longer allowed  
to access.

  * ISSUE-26 - Wildcarding when the credentials flag is true is not  
possible. This issue is now bogus.

  * ISSUE-31 - POST is now allowed without a preflight, as long as the  
request sticks to the whitelisted headers.

  * ISSUE-32 - Redirects are required to apply the access control check.

That's it.

Kind regards,

Anne van Kesteren
Received on Tuesday, 8 July 2008 19:42:09 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC