Re: Moving forward with XHR2 and AC from Arthur Barstow on 2008-05-27 (public-appformats@w3.org from May 2008)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Tue, 27 May 2008 09:25:44 -0400
To: Ian Hickson <ian@hixie.ch>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>
Cc: "public-webapi@w3.org WG (public)" <public-webapi@w3.org>, public-appformats@w3.org
Message-Id: <1C7D9E79-E57B-431C-A637-1048CA7BD40A@nokia.com>

Jonas - would please elaborate on your concerns regarding these three  
comments/issues? I would like to see the WG get consensus on these  
before we propose advancing the spec to Last Call.

More explicit details below.

-Regards, Art Barstow


On May 25, 2008, at 1:30 PM, ext Jonas Sicking wrote:

>
> Anne van Kesteren wrote:
>> I changed my mind on several things below.
>> On Fri, 16 May 2008 13:37:54 +0200, Anne van Kesteren  
>> <annevk@opera.com> wrote:
>>> On Fri, 16 May 2008 02:07:57 +0200, Ian Hickson <ian@hixie.ch>  
>>> wrote:
>>>> Anne, can you summarise what needs doing to XHR2 and AC to move  
>>>> them
>>>> forwards to last call? Is there a list of outstanding comments  
>>>> anywhere?
>>>
>>> XMLHttpRequest Level 2
>>>
>>> * Depends on XMLHttpRequest Level 1 feedback: http://dev.w3.org/ 
>>> 2006/webapi/XMLHttpRequest/disposition-of-comments-2
>>> * It needs an introduction at some point. (Though not per se for  
>>> Last Call I suppose.)
>> This is both still true though I made some progress incorperating  
>> feedback. (Need to make sure everything relevant made  
>> XMLHttpRequest 2 too though.
>>> Access Control for Cross-Site Requests
>>>
>>> * Need to deal with Access-Control-Policy-Path normalization
>> Done.
>
> I think we do need to deal with this. Just leaving it be will I  
> think will cause exploitable servers out there.

Do you have a counter-proposal and/or other inputs on what should be  
done?


>>> * Need to figure out if we want the server to whitelist headers/ 
>>> methods (we had methods before and then dropped it)
>> I changed my mind on this. Given the reply from Björn in  
>> particular I don't think there's anything that needs to be done here.
>
> I strongly disagree here. Sorry about being slow to reply, will  
> make sure that happens today.

Looking forward to your comments.


>>> * Need to figure out if we want the server to opt in to cookies/ 
>>> credentials
>> I rejected this proposal in another e-mail.
>
> Same thing here.

Again, looking forward to your comments.

Received on Tuesday, 27 May 2008 13:27:08 UTC