W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

RE: XDomainRequest Integration with AC

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Tue, 29 Jul 2008 17:52:42 -0700
To: Maciej Stachowiak <mjs@apple.com>, Jonas Sicking <jonas@sicking.cc>
CC: "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B748310C818A5C21@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

Access-Control-Allow-Origin: * seems to be the consensus for the public scenario, please confirm.
On a less urgent note did we get any further traction on the discussion on angle brackets for the URL specified scenario? The last mail here seems to be on 7/21.


> -----Original Message-----
> From: Maciej Stachowiak [mailto:mjs@apple.com]
> Sent: Saturday, July 19, 2008 9:32 PM
> To: Jonas Sicking
> Cc: Sunava Dutta; annevk@opera.com; Sharath Udupa; Zhenbin Xu; Gideon
> Cohn; public-webapps@w3.org; IE8 Core AJAX SWAT Team
> Subject: Re: XDomainRequest Integration with AC
>
>
> On Jul 18, 2008, at 11:15 PM, Jonas Sicking wrote:
>
> > Maciej Stachowiak wrote:
> >> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
> >>> I'm in time pressure to lock down the header names for Beta 2 to
> >>> integrate XDR with AC. It seems no body has objected to Jonas's
> >>> proposal. http://lists.w3.org/Archives/Public/public-
> webapps/2008JulSep/0175.html
> >>> Please let me know if this discussion is closed so we can make the
> >>> change.
> >> I think Anne's email represents the most recent agreement and I
> >> don't think anyone has objected:
> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
> >> The change would be: Instead of checking for
> >> "XDomainRequestAllowed: 1" check for "Access-Control-Allow-Origin:
> >> *" or "Access-Control-Allow-Origin: url" where url matches what was
> >> sent in the Origin header.
> >
> > So I have one final request for a change to the above syntax.
> >
> > How would people feel about the syntax
> >
> > Access-Control-Allow-Origin: <url>
>
> I don't think the angle brackets are necessary for forward compat,
> since we can just disallow spaces from the URL.
>
>   - Maciej
>
> >
> >
> > This would give us at least something for a forwards compatibility
> > story if we wanted to add to the syntax in future versions of the
> > spec. I really think we are being overly optimistic if we think that
> > the current syntax is the be-all end-all syntax that we'll ever want.
> >
> > For example during the meeting we talked about that banks might want
> > to enforce that the requesting site uses a certain level of
> > encryption, or even a certain certificate. A syntax for that might
> be:
> >
> > Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
> >
> > Or that the site in question uses some opt-in XSS mitigation
> > technology (such as the one drafted by Brandon Sterns in a previous
> > thread in this WG). This could be done as
> >
> > Access-Control-Allow-Origin: origin <https://foo.com> require-xss-
> > protection
> >
> > So the formal syntax would be
> >
> > "Access-Control-Allow-Origin:" "<" ("*" | url) ">"
> >
> > / Jonas
> >
> > / Jonas
>
Received on Wednesday, 30 July 2008 00:53:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT