Access Control Open Issues

So these are the open issues as far as I can tell. I haven't tried  
addressing any of them yet as I hope we get some more feedback first, but  
at some point we'll have to move forward.

Issue 1

Define a list of request headers that don't trigger a preflight request  
for a request using the HTTP GET method. We already got some input on  
this. Once I get the WebApps wiki to work we should maybe list them there  
so we can brainstorm about it. The list would need to be evaluated by  
security folks.

Issue 2

Define a list of resposne headers that can be read after a cross-site  
request. The Access Control specification needs to clearly define which  
response headers are visible after a cross-site request. This information  
is currently in the XMLHttpRequest Level 2 specification (in the  
getResponseHeader() section) and should be moved.

Issue 3

Jonas Sicking says there's a third issue, but he hasn't elaborated on that  
yet.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 11 April 2008 14:31:39 UTC