- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Tue, 27 May 2008 09:25:44 -0400
- To: Ian Hickson <ian@hixie.ch>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>
- Cc: "public-webapi@w3.org WG (public)" <public-webapi@w3.org>, public-appformats@w3.org
Jonas - would please elaborate on your concerns regarding these three comments/issues? I would like to see the WG get consensus on these before we propose advancing the spec to Last Call. More explicit details below. -Regards, Art Barstow On May 25, 2008, at 1:30 PM, ext Jonas Sicking wrote: > > Anne van Kesteren wrote: >> I changed my mind on several things below. >> On Fri, 16 May 2008 13:37:54 +0200, Anne van Kesteren >> <annevk@opera.com> wrote: >>> On Fri, 16 May 2008 02:07:57 +0200, Ian Hickson <ian@hixie.ch> >>> wrote: >>>> Anne, can you summarise what needs doing to XHR2 and AC to move >>>> them >>>> forwards to last call? Is there a list of outstanding comments >>>> anywhere? >>> >>> XMLHttpRequest Level 2 >>> >>> * Depends on XMLHttpRequest Level 1 feedback: http://dev.w3.org/ >>> 2006/webapi/XMLHttpRequest/disposition-of-comments-2 >>> * It needs an introduction at some point. (Though not per se for >>> Last Call I suppose.) >> This is both still true though I made some progress incorperating >> feedback. (Need to make sure everything relevant made >> XMLHttpRequest 2 too though. >>> Access Control for Cross-Site Requests >>> >>> * Need to deal with Access-Control-Policy-Path normalization >> Done. > > I think we do need to deal with this. Just leaving it be will I > think will cause exploitable servers out there. Do you have a counter-proposal and/or other inputs on what should be done? >>> * Need to figure out if we want the server to whitelist headers/ >>> methods (we had methods before and then dropped it) >> I changed my mind on this. Given the reply from Björn in >> particular I don't think there's anything that needs to be done here. > > I strongly disagree here. Sorry about being slow to reply, will > make sure that happens today. Looking forward to your comments. >>> * Need to figure out if we want the server to opt in to cookies/ >>> credentials >> I rejected this proposal in another e-mail. > > Same thing here. Again, looking forward to your comments.
Received on Tuesday, 27 May 2008 13:27:09 UTC