W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

[access-control] WD published

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 13 Sep 2008 13:37:10 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uhe3v8ld64w2qv@annevk-t60.oslo.opera.com>

Hi,

Yesterday the WebApps WG published a new version of the Access Control for  
Cross-Site Requests specification:

   http://www.w3.org/TR/2008/WD-access-control-20080912/

Comments are welcome on this mailing list (public-webapps@w3.org) with a  
Subject starting with "[access-control] ". This draft includes the changes  
decided upon during the Seattle F2F as well as some further changes as  
discussed on this mailing list, which I'll try to summarize here:

* <?access-control?> removed.

* Access-Control-Policy-Path removed.

* Method check is now simply known as preflight request.

* The Access-Control-Origin request header is now called Origin.

* Access-Control is renamed to Access-Control-Allow-Origin and takes a  
simple origin or wildcard. (Access item is therefore gone too.)

* Introduced the Access-Control-Allow-Methods,  
Access-Control-Allow-Headers, Access-Control-Request-Method, and  
Access-Control-Request-Headers so sites can carefully opt in to HTTP  
methods and HTTP request headers.

* Simple GET and POST requests can only use a limited amount of request  
headers and the Content-Type header is even further restricted to a number  
of media types HTML form submission takes.

* The protocol is rethought in such a way that XDomainRequest can use it.

If you wish more detail you can study the CVS checkins that should have  
reasonable accurate summaries (checkins 1.170 to 1.190):

   http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html


Please note that the TR/ version of XMLHttpRequest Level 2 has not yet  
been updated to incorperate the revised protocol. Implementors are advised  
to use the editor drafts instead:

   http://dev.w3.org/2006/waf/access-control/
   http://dev.w3.org/2006/webapi/XMLHttpRequest-2/


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Saturday, 13 September 2008 11:37:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT