W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Maciej Stachowiak <mjs@apple.com>
Date: Fri, 18 Jul 2008 16:59:52 -0700
Cc: "annevk@opera.com" <annevk@opera.com>, "jonas@sicking.cc" <jonas@sicking.cc>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-Id: <8DF4D8E8-4413-4FA3-8443-EEC4C1AB859A@apple.com>
To: Sunava Dutta <sunavad@windows.microsoft.com>

On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:

> Iím in time pressure to lock down the header names for Beta 2 to  
> integrate XDR with AC. It seems no body has objected to Jonasís  
> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
> Please let me know if this discussion is closed so we can make the  
> change.

I think Anne's email represents the most recent agreement and I don't  
think anyone has objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html

The change would be:

Instead of checking for "XDomainRequestAllowed: 1" check for "Access- 
Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" where  
url matches what was sent in the Origin header.


> Namely,
> The changes to support the new Access control model is as follows Ė
> ∑         Change Referer header set in the request to Origin.
> ∑         Change the XDomainRequestAllowed header check from it  
> being ď1Ē to check for Access-Control: allow <*>
> In addition, I realized that the discussions we had in the F2F  
> (tracked by issue 32http://www.w3.org/2008/webapps/track/issues/32)  
> means that an access control check is now also performed when the  
> redirect steps are applied to prevent data leakage from intranet  
> pages. This is different from XDR as we currently do the check in  
> the final destination for redirection. I think the reason why we did  
> this in XDR was to allow cross domain resources to move around  
> easily. That said, Iím not religious about this issue either way.  
> (Adding my team-mates to hear if they have any concerns).  Iíll ask  
> our dev to make the change, but before that I just wanted to confirm  
> the AC spec will be updated with this. Currently I couldnít find  
> this in the updated spec but I could be wrong.
> Thanks,
Received on Saturday, 19 July 2008 00:00:35 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC