W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

[access-control] Proposal

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 15 Jul 2008 01:02:58 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uea0y8tq64w2qv@annevk-t60.oslo.opera.com>

Since implementations need answers to various open issues soonish and I'm  
leaving on vacation roughly two days from now I'll propose various  
solutions here and try to integrate them in drafts later on:


Access-Control-Origin -> Access-Control-Allow-Origin

Access-Control-Credentials -> Access-Control-Allow-Credentials


Parsing Access-Control-Allow-Origin will have a check to ensure that  
<path> is empty. If it is non-empty the network error steps will be  
applied. We keep the separate header for credentials to keep the origin  
concept orthogonal from the credentials flag.


We limit the amount of Content-Type header values people can set for the  
simple cross-site POST request to those you can use with HTML forms today.  
This list will not become a fixed list until we work out how Access  
Control for Cross-Site Requests will work together with HTML5 forms.


The XMLHttpRequest interface will gain a withCredentials boolean DOM  
attribute. The value of that attribute is used during send() and stored  
"in memory" when send() is invoked so an event listener dispatched between  
send() being invoked and the request happening cannot change it.

Anne van Kesteren
Received on Monday, 14 July 2008 23:03:26 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC