W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: XDomainRequest Integration with AC

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 30 Jul 2008 02:19:47 -0700
Cc: Jonas Sicking <jonas@sicking.cc>, "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-Id: <236C8CE2-439F-48A2-A07E-0D6B5E9A8916@apple.com>
To: Sunava Dutta <sunavad@windows.microsoft.com>


On Jul 29, 2008, at 5:52 PM, Sunava Dutta wrote:

> Access-Control-Allow-Origin: * seems to be the consensus for the  
> public scenario, please confirm.

Yes.

> On a less urgent note did we get any further traction on the  
> discussion on angle brackets for the URL specified scenario? The  
> last mail here seems to be on 7/21.

Jonas and I agreed offline that angle brackets are not required for  
unambiguous parsing.

  - MAciej

>
>
>
>> -----Original Message-----
>> From: Maciej Stachowiak [mailto:mjs@apple.com]
>> Sent: Saturday, July 19, 2008 9:32 PM
>> To: Jonas Sicking
>> Cc: Sunava Dutta; annevk@opera.com; Sharath Udupa; Zhenbin Xu; Gideon
>> Cohn; public-webapps@w3.org; IE8 Core AJAX SWAT Team
>> Subject: Re: XDomainRequest Integration with AC
>>
>>
>> On Jul 18, 2008, at 11:15 PM, Jonas Sicking wrote:
>>
>>> Maciej Stachowiak wrote:
>>>> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>>>>> I'm in time pressure to lock down the header names for Beta 2 to
>>>>> integrate XDR with AC. It seems no body has objected to Jonas's
>>>>> proposal. http://lists.w3.org/Archives/Public/public-
>> webapps/2008JulSep/0175.html
>>>>> Please let me know if this discussion is closed so we can make the
>>>>> change.
>>>> I think Anne's email represents the most recent agreement and I
>>>> don't think anyone has objected:
>> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
>>>> The change would be: Instead of checking for
>>>> "XDomainRequestAllowed: 1" check for "Access-Control-Allow-Origin:
>>>> *" or "Access-Control-Allow-Origin: url" where url matches what was
>>>> sent in the Origin header.
>>>
>>> So I have one final request for a change to the above syntax.
>>>
>>> How would people feel about the syntax
>>>
>>> Access-Control-Allow-Origin: <url>
>>
>> I don't think the angle brackets are necessary for forward compat,
>> since we can just disallow spaces from the URL.
>>
>>  - Maciej
>>
>>>
>>>
>>> This would give us at least something for a forwards compatibility
>>> story if we wanted to add to the syntax in future versions of the
>>> spec. I really think we are being overly optimistic if we think that
>>> the current syntax is the be-all end-all syntax that we'll ever  
>>> want.
>>>
>>> For example during the meeting we talked about that banks might want
>>> to enforce that the requesting site uses a certain level of
>>> encryption, or even a certain certificate. A syntax for that might
>> be:
>>>
>>> Access-Control-Allow-Origin: origin <https://foo.com> encryption  
>>> sha1
>>>
>>> Or that the site in question uses some opt-in XSS mitigation
>>> technology (such as the one drafted by Brandon Sterns in a previous
>>> thread in this WG). This could be done as
>>>
>>> Access-Control-Allow-Origin: origin <https://foo.com> require-xss-
>>> protection
>>>
>>> So the formal syntax would be
>>>
>>> "Access-Control-Allow-Origin:" "<" ("*" | url) ">"
>>>
>>> / Jonas
>>>
>>> / Jonas
>>
>
Received on Wednesday, 30 July 2008 09:20:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT