W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [access-control] Update

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 09 Jul 2008 16:13:52 -0700
Message-ID: <48754630.5020104@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: WebApps WG <public-webapps@w3.org>

Anne van Kesteren wrote:
> 
> On Wed, 09 Jul 2008 22:22:52 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> The name "Access-Control-Origin" is IMHO confusing.
> 
> It's more or less identical to how it works for Web sockets. (Called 
> Websocket-Origin there.)

If only we had the editor of that spec around... ;)

>> Lastly, the 'URL' token http://dev.w3.org/2006/waf/access-control/#url 
>> should not be a full URL, and I don't think we want to depend on HTML5 
>> for it either. Currently we seem to be allowing the syntax
>>
>> Access-Control-Origin: http://foo.com/bar/bin/baz.html
>>
>> which I think is very bad as it seems to indicate that only that page 
>> would be allowed to POST, which of course isn't something that we can 
>> enforce.
> 
> This is exactly how postMessage() works and it seems nice to align with 
> that.

I am very strongly against this syntax as it gives a false sense of 
security. To the point where I don't think I'd be willing to implement 
it in firefox. The fact that postMessage allows this sounds very 
unfortunate and something that I will look into fixing in that spec.

I don't want to carry this mistake forward into Access-Control.

>> Additionally, the way the spec was written before we could create a 
>> conformat implementation now without having to worry about HTML5 
>> changing things under us.
> 
> Well, in the end we want all those concepts implemented in the same way 
> everywhere, right? So I'm not sure how this matters.

So why not let HTML5 refer to Access-Control?

/ Jonas
Received on Wednesday, 9 July 2008 23:14:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT