Re: Access Control for Cross-site Requests WD Published from Kris Zyp on 2008-02-15 (public-appformats@w3.org from February 2008)

From: Kris Zyp <kzyp@sitepen.com>
Date: Fri, 15 Feb 2008 09:14:24 -0700
To: "WAF WG $public$" <public-appformats@w3.org>, "Anne van Kesteren" <annevk@opera.com>
Message-ID: <02e001c86fed$d5a016b0$4200a8c0@kris>

A couple comments:

1. Why for non same-origin requests, are users limited to only setting 
"Accept" and "Accept-Language" HTTP headers. Couldn't we allow a larger set 
of safe headers to be included? At least one could define a prefixed set of 
allowable headers (like users could set headers "Cross-*"). This seems an 
excessive restraint and prevents some very useful functionality.

2. Can non-GET access only be granted as a response to user agent OPTION 
requests? Is there a reason that servers can't preemptively include access 
control headers (including policy path and max age) in GET responses to 
grant future non-GET request? Since most non-GET requests will probably be 
preceded by GET requests, it seems like user agents could more efficiently 
determine access level if prior responses explicity granted access. Of 
course, using the OPTION requests as outlined in the WD would still be 
appropriate if prior responses (if any) had not granted access.

This second question is not a big deal, the first one is more important to 
me. I am sorry if this already been discussed, I couldn't find anything such 
discussions in the archives.

Thanks,
Kris

----- Original Message ----- 
From: "Anne van Kesteren" <annevk@opera.com>
To: "WAF WG (public)" <public-appformats@w3.org>
Sent: Friday, February 15, 2008 7:37 AM
Subject: Access Control for Cross-site Requests WD Published


>
> Hi all,
>
> The WAF WG published a new snapshot of the editor's draft of Access 
> Control for Cross-site Requests yesterday in the W3C Technical Report 
> space. It includes recent HTTP header name changes and incorporates a new 
> proposal for limiting the amount of requests in case of non-GET methods to 
> various different URIs which share the same origin.
>
> In addition to those technical changes it also makes the (until now) 
> implicit requirements and use cases explicit by listing them in an 
> appendix and contains a short FAQ on design decisions.
>
>   http://www.w3.org/TR/2008/WD-access-control-20080214/
>
> We expect the next draft to go to Last Call so hereby we're soliciting 
> input, once again, from the Forms WG, HTML WG, HTTP WG, TAG, Web API WG, 
> and Web Security Context WG. (All on the "bcc list" so we don't get 
> massive cross-list e-mailing.)
>
> We appreciate input from anyone however, so feel free to forward or reply 
> to this e-mail as you see fit.
>
> Kind regards,
>
>
> -- 
> Anne van Kesteren
> <http://annevankesteren.nl/>
> <http://www.opera.com/>
>
>

Received on Friday, 15 February 2008 16:15:12 UTC