W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

[access-control] WD published

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 13 Sep 2008 13:37:10 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uhe3v8ld64w2qv@annevk-t60.oslo.opera.com>


Yesterday the WebApps WG published a new version of the Access Control for  
Cross-Site Requests specification:


Comments are welcome on this mailing list (public-webapps@w3.org) with a  
Subject starting with "[access-control] ". This draft includes the changes  
decided upon during the Seattle F2F as well as some further changes as  
discussed on this mailing list, which I'll try to summarize here:

* <?access-control?> removed.

* Access-Control-Policy-Path removed.

* Method check is now simply known as preflight request.

* The Access-Control-Origin request header is now called Origin.

* Access-Control is renamed to Access-Control-Allow-Origin and takes a  
simple origin or wildcard. (Access item is therefore gone too.)

* Introduced the Access-Control-Allow-Methods,  
Access-Control-Allow-Headers, Access-Control-Request-Method, and  
Access-Control-Request-Headers so sites can carefully opt in to HTTP  
methods and HTTP request headers.

* Simple GET and POST requests can only use a limited amount of request  
headers and the Content-Type header is even further restricted to a number  
of media types HTML form submission takes.

* The protocol is rethought in such a way that XDomainRequest can use it.

If you wish more detail you can study the CVS checkins that should have  
reasonable accurate summaries (checkins 1.170 to 1.190):


Please note that the TR/ version of XMLHttpRequest Level 2 has not yet  
been updated to incorperate the revised protocol. Implementors are advised  
to use the editor drafts instead:


Anne van Kesteren
Received on Saturday, 13 September 2008 11:37:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:21 UTC