Re: XDomainRequest Integration with AC from Jonas Sicking on 2008-07-20 (public-webapps@w3.org from July to September 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Sat, 19 Jul 2008 19:44:31 -0700
To: Maciej Stachowiak <mjs@apple.com>
Cc: Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <4882A68F.7060806@sicking.cc>

Jonas Sicking wrote:
> 
> Jonas Sicking wrote:
>>
>> Maciej Stachowiak wrote:
>>>
>>> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>>>
>>>> I’m in time pressure to lock down the header names for Beta 2 to 
>>>> integrate XDR with AC. It seems no body has objected to Jonas’s 
>>>> proposal. 
>>>> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
>>>> Please let me know if this discussion is closed so we can make the 
>>>> change.
>>>
>>> I think Anne's email represents the most recent agreement and I don't 
>>> think anyone has objected: 
>>> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
>>>
>>> The change would be:
>>> Instead of checking for "XDomainRequestAllowed: 1" check for 
>>> "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: 
>>> url" where url matches what was sent in the Origin header.
>>
>> So I have one final request for a change to the above syntax.
>>
>> How would people feel about the syntax
>>
>> Access-Control-Allow-Origin: <url>
>>
>> This would give us at least something for a forwards compatibility 
>> story if we wanted to add to the syntax in future versions of the 
>> spec. I really think we are being overly optimistic if we think that 
>> the current syntax is the be-all end-all syntax that we'll ever want.
>>
>> For example during the meeting we talked about that banks might want 
>> to enforce that the requesting site uses a certain level of 
>> encryption, or even a certain certificate. A syntax for that might be:
>>
>> Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
>>
>> Or that the site in question uses some opt-in XSS mitigation 
>> technology (such as the one drafted by Brandon Sterns in a previous 
>> thread in this WG). This could be done as
>>
>> Access-Control-Allow-Origin: origin <https://foo.com> 
>> require-xss-protection
>>
>> So the formal syntax would be
>>
>> "Access-Control-Allow-Origin:" "<" ("*" | url) ">"
> 
> We might also want to consider simply calling the header
> 
> Access-Control-Allow
> 
> Since the above future expansions would make the header not just contain 
> the origin, but also further restrictions on the origin.

Actually, after some further thought on this, even the extra 
reststrictions put on the origin, is still about the origin, so keeping 
the header name as is is fine with me.

But I do think we should put the '<' '>' around it.

/ Jonas

Received on Sunday, 20 July 2008 02:46:05 UTC