- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 15 Jul 2008 01:02:58 +0200
- To: "WebApps WG" <public-webapps@w3.org>
Since implementations need answers to various open issues soonish and I'm leaving on vacation roughly two days from now I'll propose various solutions here and try to integrate them in drafts later on: HEADER NAMES Access-Control-Origin -> Access-Control-Allow-Origin Access-Control-Credentials -> Access-Control-Allow-Credentials HEADER SYNTAX Parsing Access-Control-Allow-Origin will have a check to ensure that <path> is empty. If it is non-empty the network error steps will be applied. We keep the separate header for credentials to keep the origin concept orthogonal from the credentials flag. CROSS-SITE POST We limit the amount of Content-Type header values people can set for the simple cross-site POST request to those you can use with HTML forms today. This list will not become a fixed list until we work out how Access Control for Cross-Site Requests will work together with HTML5 forms. XMLHTTPREQUEST API FLAG The XMLHttpRequest interface will gain a withCredentials boolean DOM attribute. The value of that attribute is used during send() and stored "in memory" when send() is invoked so an event listener dispatched between send() being invoked and the request happening cannot change it. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 14 July 2008 23:03:26 UTC