- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 08 Jul 2008 21:41:35 +0200
- To: "WebApps WG" <public-webapps@w3.org>
Hi, It's not really clear to me what process this Working Group uses for closing issues, so I'll summarize here what I think that status is of the issues reported for the Access Control for Cross-Site Requests specifications. http://www.w3.org/2008/webapps/track/products/7 * ISSUE-10 - There needs to be opt in on the server side and the client side also needs changing. It's not clear to me what this issue is about. (And hasn't been since it was raised...) * ISSUE-11 - Not sure what to do about this issue either. * ISSUE-12 - Access-Control-Policy-Path is gone until someone can propose a model that works. * ISSUE-13 - You now need to opt in to exposing credential specific content using a specific header. * ISSUE-14 - Header and method opt in is now part of the specification. * ISSUE-24 - Exactly three headers are part of the access control simple request header whitelist: Accept, Accept-Language, and Content-Type. Requiring a preflight for anything else does not seem like a high burden to me, although we might want to allow Last-Event-ID too for HTML5. * ISSUE-25 - If you want to revoke rights, or empty the cache, simply reply without an Access-Control-Origin header or an Access-Control-Origin header that contains a value that indicates the site is no longer allowed to access. * ISSUE-26 - Wildcarding when the credentials flag is true is not possible. This issue is now bogus. * ISSUE-31 - POST is now allowed without a preflight, as long as the request sticks to the whitelisted headers. * ISSUE-32 - Redirects are required to apply the access control check. That's it. Kind regards, -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 8 July 2008 19:42:09 UTC