[access-control] Update from Anne van Kesteren on 2008-07-08 (public-webapps@w3.org from July to September 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 08 Jul 2008 21:31:40 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.udzm62be64w2qv@annevk-t60.oslo.opera.com>

Hi,

The WebApps WG had a F2F last week in Seattle. While I'm still a bit  
buzzed by the jet lag I managed to "finish" the work I started during the  
weekend on updating the Access Control for Cross-Site Requests (AC)  
specification to match resolutions and proposals made during the F2F  
meeting. The meeting logs of the F2F are not publicly available yet, but  
since the editor's draft is, I will summarize what I changed and depending  
on whether you trust me or not, you can infer from that what we decided  
upon...

The draft is available at the same place as usual:

   http://dev.w3.org/2006/waf/access-control/

Here is what I changed:

  * <?access-control?> is dropped. Might return in AC2.

  * Access-Control is now Access-Control-Origin which takes * or a URL. In  
other words, whether or not a site grants access is simplified *a lot*.  
Implementors who told me this was the most complex part to implement can  
rejoice. This also makes this specification consistent with Web Sockets  
and postMessage(), both defined in HTML5. (Access-Control-Origin is not to  
be confused with the old Access-Control-Origin, which is now Origin.)

  * Access-Control-Credentials provides an opt in mechanism for  
credentials. Whether or not credentials are included in the request  
depends on the "credentials flag", which is set by a hosting  
specification. Preflight requests are always without credentials.

  * Four new headers are introduced to deal with headers and method opt in.  
Two request headers (set by the user agent): Access-Control-Request-Method  
and Access-Control-Request-Headers. And two response headers:  
Access-Control-Allow-Method and Access-Control-Allow-Headers. (The  
introduction of these headers also affected the preflight result cache.)

  * The HTTP header blacklist is gone as that is something that affects all  
hosting specifications, including same-origin requests, and therefore is  
inappropriate in a specification intended solely for non same-origin  
requests.

  * I've referenced HTML5 for several concepts which hopefully encourages  
code reuse in user agents and also makes sure that we don't have to change  
if HTML5 does.

  * An access control check is now also performed when the redirect steps  
are applied to prevent data leakage from intranet pages.

So please review the changes made and the significant revisions to the  
processing model. Much appreciated. If you would like to review the CVS  
log entries you can do so here (changes since last time start at 1.178,  
"MASSIVE CHANGE"):

   http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.html


Kind regards,


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 8 July 2008 19:32:14 UTC