[cors] Updates

After renaming the specification I decided to go through the normative  
parts of the specification again to clean various things up and resolve  
some outstanding issues. Since the October 6 editor's draft (last  
relatively stable draft) the following things have changed starting  
January 14:

  * The specification was renamed.

  * Terminology was made more consistent throughout. Cross-site,  
cross-domain, cross-origin is now all cross-origin, as it should be.

  * Fixed various examples that still used the old model.

  * User agents are to lowercase Access-Control-Request-Headers values and  
sort them. This makes it less likely for authors to depend on behavior of  
a particular user agent.

  * A change in HTML 5 resulted in origin being able to serialize to the  
string "null" again.

  * The syntax section now has requirements on servers.

  * The expiry time cache field is now called max age. Cache fields are  
linked through the document as well.

  * Parsing of headers by user agents and what to do if parsing failed is  
now more properly defined.

  * Non-normative sections and appendices are now clearly marked as such.

  * I updated the JSONRequest FAQ entry based on comments from DanC in a  
W3C QA blog post.

  * The Content-Type header is now always limited for simple requests, not  
just if the method is POST.

  * There was a logic error in the cache processing model.

  * The specification is now more clear on how preflight requests are  
supposed to work. I.e. when to include Access-Control-Request-Headers and  
Access-Control-Request-Method.

As indicated in the status e-mail more changes are underway based on  
feedback, but those should not affect implementors. I would appreciated  
feedback from implementors on the changes and in particular on the wording  
in the latest draft:

   http://dev.w3.org/2006/waf/access-control/


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Monday, 9 February 2009 12:58:29 UTC