Re: Update to Access Control for Cross-site Requests

I offered a proposed list of request headers for the whitelist here:
http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0282.html

Since the recent draft includes explicit information on including
Authentication and Cookie support, the end-portion of the above post
is out-of-date.

MikeA

On Mon, Apr 7, 2008 at 7:21 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>
>
>  Anne van Kesteren wrote:
>
> >
> > On Mon, 07 Apr 2008 21:18:03 +0200, Elias Sinderson <elias@soe.ucsc.edu>
> wrote:
> >
> > > Anne van Kesteren wrote:
> > >
> > > > I have updated the editor's draft of the Access Control for Cross-site
> Requests specification to include support for  HTTP headers [...] Nothing
> else has changed because no other changes have been proposed.
> > > >
> > >
> > > Thanks for the update, much appreciated.
> > > I see no mention of If-* headers and cannot recall there being reason
> provided to omit them (on-list, at least). Certainly being able to make
> conditional requests that would otherwise be allowed as non-conditional
> should be allowed?
> > >
> >
> > They are allowed. Though even for GET requests they would require a
> preflight request first. Currently the only headers that are allowed without
> preflight (only GET requests can go without a preflight) are Accept and
> Accept-Language, based on earlier feedback from Ian Hickson. However, maybe
> we should simply remove those and always require a preflight request for a
> request with "custom" headers. Not sure.
> >
>
>  I think it's useful to have a white-list of headers that should be safe for
> GET requests without a pre-flight request. I would actually like to expand
> the list a little. There was a thread on that a while ago, but it seemed to
> have died without reaching a useful list.
>
>  / Jonas
>
>



-- 
mca
http://amundsen.com/blog/

Received on Tuesday, 8 April 2008 00:57:00 UTC