- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 14 Feb 2008 22:24:38 +0000 (UTC)
- To: John Panzer <jpanzer@acm.org>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Thu, 14 Feb 2008, John Panzer wrote: > > I'm sorry, I wasn't clear. By 'delegated server' I meant that there's > no CSR involved at all in this case, but I'm delegating some of the > access rights that I (the user) have to C (in this case, a server). > > Example: > A: Robert Scoble > B: Facebook > C: Plaxo > > Scoble (A) tells Facebook (B) it's okay for Plaxo (C) to pull contact > list data. He then goes to sleep and shuts down his computer. Plaxo > (C) then contacts Facebook (B) and retrieves the data, acting on behalf > of Scoble (A) but not impersonating him. In that scenario, you can use whatever headers you like. Access-Control and XMLHttpRequest have absolutely nothing to do with this. > In these cases, Authorization is authenticating the server (Plaxo) _and_ > authorizing its request based on prior input from the user. When you > say there's no user/client involved I get confused -- the 'original > server' and 'client' are the same thing in this transaction (Plaxo to > Facebook), unless you're saying that a server can never be an HTTP > client, which confuses me even more. The user is involved but not in > real time -- indeed, it's key that they be involved since they're the > ones authorizing the transaction. The Access-Control spec only applies when there's a Web browser allowing a Web page from one domain to make connections to a Web server from another domain. When there's no Web browser driving the HTTP, there's no need for Access-Control. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 14 February 2008 22:24:51 UTC