W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [access-control] Update

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 09 Jul 2008 13:27:30 -0700
Message-ID: <48751F32.3010501@sicking.cc>
To: Maciej Stachowiak <mjs@apple.com>
CC: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>

Maciej Stachowiak wrote:
> Hi Anne,
> Great changes. One comment:
> On Jul 8, 2008, at 12:31 PM, Anne van Kesteren wrote:
>> * Access-Control-Credentials provides an opt in mechanism for 
>> credentials. Whether or not credentials are included in the request 
>> depends on the "credentials flag", which is set by a hosting 
>> specification. Preflight requests are always without credentials.
> This does not match my understanding of what we agreed to at the 
> face-to-face meeting, which was that cookies would be auto-negotiated 
> for GET request by default for XHR2. Neither setting of the credentials 
> flag matches this. We need to either replace the true value with 
> negotiate mode, or make the flag a tri-state of true/false/negotiate, 
> with XHR2 defaulting to negotiate.

Actually, that was not my recollection of what we agreed on. Using the 
"double GET" proposal is incompatible with preflight-less POST, which 
meant that we couldn't get IE compat. So given a commitment from 
microsoft to use the AC syntax, we said that that tipped the advantage 
enough in favor of the "api flag" proposal.

At least that was my understanding.

/ Jonas
Received on Wednesday, 9 July 2008 20:28:35 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC