- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 01 Aug 2007 13:19:40 +0200
- To: "WAF WG (public)" <public-appformats@w3.org>
I wrote up access requests as part of the access-control specification, but after thinking about it I think it makes more sense if specifications that use the access control mechanism, such as XMLHttpRequest, define how to perform the request exactly and that the access-control specification makes some requirements on such requests. Here's what I came up with in not so formal language: requests * need to include Referer-Root header (contains requesting URI) * need to handle redirects * need to handle network issues * redirects need to be cancelable (for XMLHttpRequest 2) non-GET requests * need to make GET request first with If-Method-Allowed header set * for this GET request you need to store the URI after all redirects are made (final URI) * you need to perform an access check on the final URI * then make a non-GET request to the final URI (For the non-GET requests the requests requirements still apply of course.) Whether an access check is performed at the end of the request depends on the specification. For XMLHttpRequest it would be if the final URI is not a same-origin URI. I think it makes sense to put guidelines regarding those requests in the access-control specification as well as to register the Referer-Root header and If-Method-Allowed header as part of that specification. Any thoughts? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 1 August 2007 11:19:43 UTC