Re: Moving forward with XHR2 and AC

On Sun, 25 May 2008, Jonas Sicking wrote:
> > 
> > > Access Control for Cross-Site Requests
> > > 
> > > * Need to deal with Access-Control-Policy-Path normalization
> > 
> > Done.
> 
> I think we do need to deal with this. Just leaving it be will I think 
> will cause exploitable servers out there.

I don't understand how this is different to anything else that servers can 
do to shoot themselves in the foot. I think that the danger for authors 
using misconfigured and IIS servers is far outweighed by the benefit to 
all authors in terms of the reduced load. Firing an OPTIONS request for 
every single request is a high cost.


> > > * Need to figure out if we want the server to whitelist 
> > > headers/methods (we had methods before and then dropped it)
> > 
> > I changed my mind on this. Given the reply from Björn in particular I 
> > don't think there's anything that needs to be done here.
> 
> I strongly disagree here. Sorry about being slow to reply, will make 
> sure that happens today.

Did you send the feedback on this? I think going forward, given the 
history of this spec, I would recommend that Anne ignore requests that 
don't include reasoning. It isn't reasonable to disagree with decisions 
without explaining why. The only result is delay, something that we really 
don't need here.


> > > * Need to figure out if we want the server to opt in to 
> > > cookies/credentials
> > 
> > I rejected this proposal in another e-mail.
> 
> Same thing here.

Ditto. Anne weighed the various factors and input here before responding. 
Just disagreeing with his conclusion doesn't introduce any new 
information, so his conclusion presumably wouldn't change.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'