- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 8 Feb 2008 18:37:15 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Fri, 8 Feb 2008, Jonas Sicking wrote:
>
> I propose that we remove both the Method-Check header, and the list of
> methods from the Access-Control header.
I support this.
> Thomas Roessler pointed out that 1 is better solved by simply stopping
> all requests that included a Referer-Root header. This could be done on
> a server level and would also stop any cached OPTIONS requests from
> making unsafe actions reach a CGI script. [Thus I propose dropping the
> deny rules.]
I support that too.
> I like this idea a lot. The only problem is that I'm worried that the
> Referer-Root header might get picked up by other specs due to its
> usefulness and generic name. However if we specified that Referer-Root
> should only ever be included in cross-site request, then that should
> mitigate that problem. In fact, i've wanted to add a header for
> cross-site image and script loads to allow the server to reject these
> more easily. (That would of course not be part of this spec).
I agree this this is a problem. I think if we remove the "deny" rule and
say that Referer-Root is the way to detect third-party access, we should
rename the header to be absolutely clear as to what is going on.
I recommend the name Access-Control-Origin.
At this point it would make sense to rename the Method-Check-* headers
too. I recommend changing the "Method-Check-" part to "Access-Control-",
so that the headers are:
On requests from a client:
Access-Control-Origin
On responses to OPTIONS when the policy is elsewhere:
Access-Control-Policy-Path
On all other responses:
Access-Control
Access-Control-Max-Age
Access-Control-Policy-Path
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 8 February 2008 18:37:31 UTC