W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

RE: [access-control] Update

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Wed, 9 Jul 2008 13:48:18 -0700
To: Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, Maciej Stachowiak <mjs@apple.com>
CC: WebApps WG <public-webapps@w3.org>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B748310C813A4925@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
Sorry, just got around to catching up with this conversation.

As promised, I've discussed the proposal we discussed at the F2F with my extended team and we're excited about making the change to integrate XDomainRequest with the public scenarios specified by Access Control. This means IE8 will ship the updated section of Access Control that enables public data aggregation (no creds on wildcard) while setting us up on a trajectory to support more in the future (post IE8) using the API flag in an XDR level 2.

However, understandably, we'd like to get this goodness out to devs as early as our Beta 2. In order to do so, I need to understand this area of the spec (public data) will not change significantly unless there are new security concerns?

I'm awaiting ongoing conversations on the actual header name to be locked down. I just read Jonas's proposal and will comment on that after this. Once those are stable (the earlier the better as we are in a Beta 2 time crunch) my team will be making the necessary updates to XDR to support the Access control language.
Namely,
1) Retirement of XDomainRequest:1 on client side to Access-Control-Origin:<origin>
2) Understanding server response of Access-Control:* in place of XDomainRequestAllowed:1, which will be retired as well.
...Or whatever the new header we decide on.

When the API switch in a post IE8 version of XDR is flipped to 'private' or its equivalent, we will allow headers to be set (including whitelist) and creds sent cross domain among other features of AC pending the remaining few issues are locked down. I think we made solid progress in raising and closing issues in the F2F.

Thanks!


> -----Original Message-----
> From: public-webapps-request@w3.org [mailto:public-webapps-
> request@w3.org] On Behalf Of Anne van Kesteren
> Sent: Wednesday, July 09, 2008 1:34 PM
> To: Jonas Sicking; Maciej Stachowiak
> Cc: WebApps WG
> Subject: Re: [access-control] Update
>
>
> On Wed, 09 Jul 2008 22:27:30 +0200, Jonas Sicking <jonas@sicking.cc>
> wrote:
> > Actually, that was not my recollection of what we agreed on. Using
> the
> > "double GET" proposal is incompatible with preflight-less POST, which
> > meant that we couldn't get IE compat. So given a commitment from
> > microsoft to use the AC syntax, we said that that tipped the
> advantage
> > enough in favor of the "api flag" proposal.
> >
> > At least that was my understanding.
>
> Well, there's no such commitment and Maciej is right that we didn't
> make
> any new resolutions after we resolved to go for double GET. (We decided
> that we're willing to change on the condition a commitment was made.)
>
> If there's no new information soonish I'll spec out the double GET
> version.
>
>
> --
> Anne van Kesteren
> <http://annevankesteren.nl/>
> <http://www.opera.com/>
>

Received on Wednesday, 9 July 2008 20:49:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT