W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [access-control] Update

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 09 Jul 2008 16:08:32 -0700
Message-ID: <487544F0.8040106@sicking.cc>
To: Maciej Stachowiak <mjs@apple.com>
CC: Anne van Kesteren <annevk@opera.com>, Sunava Dutta <sunavad@windows.microsoft.com>, WebApps WG <public-webapps@w3.org>

Maciej Stachowiak wrote:
> 
> On Jul 9, 2008, at 3:17 PM, Anne van Kesteren wrote:
> 
>>
>> On Wed, 09 Jul 2008 23:54:17 +0200, Sunava Dutta 
>> <sunavad@windows.microsoft.com> wrote:
>>> I prefer
>>> Access-control: *
>>> Access-control: <URL>
>>
>> I suppose it would be slightly shorter, but it's also less clear.
> 
> I would be in favor of Access-Control or Access-Control-Allow, I think 
> Access-Control-Origin and Origin are confusing in combination. It seems 
> unclear from the names which is a request header and which is a response 
> header.

Agreed.

I also think that putting a somewhat more verbose syntax will give us a 
better forwards compat story. For example

Access-Control: allow-without-query-parameters <*>
or
Access-Control: allow-only-tuesdays <*>

I have a hard time believing that we would never find it useful to 
extend the syntax in future versions of the spec. I also as an 
implementor don't find it hard to strip out "allow <" before the origin.

I also find it very useful that you can just look at the header in order 
to realize that it is granting some sort of access, which putting the 
word "allow" in the syntax does.

So either
Access-control: allow <*>
or
Access-control-Allow: *
fulfills that.

That said, I would be ok with simply
Access-Control: *
as well. If we need degradation in the future we can always invent new 
headers...

/ Jonas
Received on Wednesday, 9 July 2008 23:09:34 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT