- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 27 May 2008 10:13:57 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
- Message-ID: <Pine.LNX.4.62.0805270954080.12907@hixie.dreamhostps.com>
On Sun, 25 May 2008, Jonas Sicking wrote: > > > > > Access Control for Cross-Site Requests > > > > > > * Need to deal with Access-Control-Policy-Path normalization > > > > Done. > > I think we do need to deal with this. Just leaving it be will I think > will cause exploitable servers out there. I don't understand how this is different to anything else that servers can do to shoot themselves in the foot. I think that the danger for authors using misconfigured and IIS servers is far outweighed by the benefit to all authors in terms of the reduced load. Firing an OPTIONS request for every single request is a high cost. > > > * Need to figure out if we want the server to whitelist > > > headers/methods (we had methods before and then dropped it) > > > > I changed my mind on this. Given the reply from Björn in particular I > > don't think there's anything that needs to be done here. > > I strongly disagree here. Sorry about being slow to reply, will make > sure that happens today. Did you send the feedback on this? I think going forward, given the history of this spec, I would recommend that Anne ignore requests that don't include reasoning. It isn't reasonable to disagree with decisions without explaining why. The only result is delay, something that we really don't need here. > > > * Need to figure out if we want the server to opt in to > > > cookies/credentials > > > > I rejected this proposal in another e-mail. > > Same thing here. Ditto. Anne weighed the various factors and input here before responding. Just disagreeing with his conclusion doesn't introduce any new information, so his conclusion presumably wouldn't change. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 27 May 2008 10:14:44 UTC