- From: John Panzer <jpanzer@acm.org>
- Date: Thu, 21 Feb 2008 23:21:26 -0800
- To: Anne van Kesteren <annevk@opera.com>
- CC: "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > > I thought I'd outline my proposal for custom HTTP headers in a > separate thread as the other threads had lots of noise. We change the > cross-site request algorithm in the Access Control specification > slightly to take a list of author provided HTTP headers. These author > provided HTTP headers are filtered against a blacklist BL and then > checked against a whitelist WL. > > BL is the list of headers currently listed in the XMLHttpRequest > specification under the setRequestHeader() algorithm with the addition > of cookie and credentials headers. > > WL is Accept, Accept-Language, and any other headers that we think fit > here. > > We also name the "cross-site GET access request" algorithm the > "cross-site default access request" algorithm and the "cross-site > non-GET access request" algorithm the "cross-site access request with > preflight" algorithm. (Or something equivalent.) > > Then if the desired request uses the HTTP GET method and checks > positively against the whitelist WL (no other headers are included) > the cross-site default access request algorithm is used. Otherwise the > cross-site access request with preflight algorithm is used. > > This means that cross-site GET requests with custom HTTP headers other > than Accept and Accept-Language will also get a preflight (but are not > prohibited) and that all the other HTTP methods will work as they do > in the current proposal except that there header list is not restricted. > > Thoughts welcome! Looks good to me. (Is there a way for a server to distinguish a preflight for a GET vs. a preflight for a POST? Probably fine either way.)
Received on Friday, 22 February 2008 07:21:52 UTC