W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

RE: XDomainRequest Integration with AC

From: Eric Lawrence <ericlaw@exchange.microsoft.com>
Date: Fri, 18 Jul 2008 16:56:57 -0700
To: Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, "jonas@sicking.cc" <jonas@sicking.cc>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>
CC: "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <8301DE7F96C0074C8DA98484623D7E5146B350B1F8@DF-MASTIFF-MSG.exchange.corp.microsoft.com>
The specific concern with redirections is that we know of instances where redirection systems are in use that do not currently support addition of custom response headers, and cannot be trivially updated to add such headers.  These redirection systems include legacy C++ applications whose source is no longer available; the only possible updates are to the source->destination URLs via a database.  I've also heard reports of hardware frontend devices with similar limitations, although I'm not personally aware of a specific device with this limitation.

In general, checking the Access-control response header on every hop of a redirection chain may make the access-control specification more difficult to deploy in real-world circumstances.


From: Sunava Dutta
Sent: Friday, July 18, 2008 4:21 PM
To: annevk@opera.com; jonas@sicking.cc; Sharath Udupa; Zhenbin Xu; Gideon Cohn
Cc: public-webapps@w3.org; IE8 Core AJAX SWAT Team
Subject: XDomainRequest Integration with AC

I'm in time pressure to lock down the header names for Beta 2 to integrate XDR with AC. It seems no body has objected to Jonas's proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the change.

The changes to support the new Access control model is as follows -

*         Change Referer header set in the request to Origin.

*         Change the XDomainRequestAllowed header check from it being "1" to check for Access-Control: allow <*>

In addition, I realized that the discussions we had in the F2F (tracked by issue 32 http://www.w3.org/2008/webapps/track/issues/32) means that an access control check is now also performed when the redirect steps are applied to prevent data leakage from intranet pages. This is different from XDR as we currently do the check in the final destination for redirection. I think the reason why we did this in XDR was to allow cross domain resources to move around easily. That said, I'm not religious about this issue either way. (Adding my team-mates to hear if they have any concerns).  I'll ask our dev to make the change, but before that I just wanted to confirm the AC spec will be updated with this. Currently I couldn't find this in the updated spec but I could be wrong.
Received on Friday, 18 July 2008 23:58:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC