W3C home > Mailing lists > Public > public-appformats@w3.org > December 2007

RE: Comments on: Access Control for Cross-site Requests

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 20 Dec 2007 02:13:04 +0000 (UTC)
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0712200208270.22033@hixie.dreamhostps.com>

On Thu, 20 Dec 2007, Close, Tyler J. wrote:
> A simple proposal would be to send an OPTIONS request to "*" asking the 
> server if it understands your new Referer-Root header. If the answer 
> comes back "yes", let through any pending requests; otherwise, treat 
> them as they currently are. RFC 2616 contains language indicating that 
> this is the expected way for a client to probe a server's functionality. 
> Once you get back the yes, assumes it's the server's problem to figure 
> out what to do with cross-domain requests to particular resources. 
> Different servers can them implement their own internal rules for access 
> to different resources.

Using OPTIONS was considered, but it's actually quite hard to make Apache 
respond to OPTIONS in author-controlled ways (and even more so if you have 
the php modules loaded, iirc).

We want to have a solution that doesn't require changes to deployed 
servers. Authors should be able to implement this without contacting their 
existing hosting provider. Similarly, existing CMSes should be able to 
implement this and existing installations should be upgradeable without 
the servers having to be upgraded as well. The fear is that without this 
migration path, the feature won't be actually available for years. The 
perceived need for this feature is very great, so there's a lot of 
pressure to make it available as soon as possible.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 20 December 2007 02:13:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:20 UTC