Re: [access-control] Update from Jonas Sicking on 2008-07-16 (public-webapps@w3.org from July to September 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 16 Jul 2008 17:34:54 -0500
To: Anne van Kesteren <annevk@opera.com>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <487E778E.8080700@sicking.cc>

Anne van Kesteren wrote:
> On Thu, 10 Jul 2008 13:14:03 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> An alternative syntax I've been thinking about for opting in to 
>> cookies is:
>>
>> Access-Control: allow-with-credentials <http://foobar.com>
>>
>> There are a couple of advantages to this syntax. First of all it keeps 
>> down the number of headers. Second, and more importantly, it cleanly 
>> disallows opting in to cookies while wildcarding. We'd simply make the 
>> syntax for the header
>>
>> Access-Control: "Access-Control" ":" allow-rule | allow-with-cred-rule
>> allow-rule: "allow" "<" (URL | "*") ">"
>> allow-with-cred-rule: "allow-with-credentials" "<" URL ">"
> 
> We tried overloading Access-Control before with "allow this URL" and 
> "allow this method". That didn't turn out so well.

Well, I think that we had more problems than just putting too much data
into one header. IMHO we also put the wrong data in there.

>> One, albeit not big, issue with the current proposal is that it allows 
>> someone to say.
>>
>> Access-Control-Origin: *
>> Access-Control-Allow-Credentials: true
>>
>> which is somewhat unfortunate. While this can be defined to be 
>> rejected by an implementation that supports the 
>> Access-Control-Allow-Credentials header. An implementation like XDR 
>> which doesn't will still allow the syntax.
> 
> A problem with this approach is that if a resource exposes both public 
> and private data you need an additional request header to know whether 
> or not the allow-with-credentials syntax is actually supported and do 
> more conditional logic on the server. (Or require that every client 
> supports the credentials syntax but does not necessarily support sending 
> credentials...)

No, we could just say that saying
Access-Control: allow-with-credentials<http://foo.com>

allows both requests with and without credentials. This should not be a
problem since a request without credentials looks the same as one with,
if the user hasn't logged in to the site previously.

> On Thu, 10 Jul 2008 13:17:29 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> To make it clear, since i'll be on vacation and won't be very 
>> responsive on email the coming week, the current syntax is not 
>> acceptible to mozilla. If referring to the above rfcs is not an option 
>> for some reason, we need to define the syntax in some other way that 
>> disallows full uris that includes paths.
> 
> I don't understand why it's not acceptible. You just shipped Firefox 3 
> which uses exactly this syntax for more or less the same purpose.

It was a mistake that this fact went in as is. I don't see a reason to 
make the same mistake again.

FWIW I do hope to get this changed in the spec for postMessage, but I'd 
rather not debate that here as it's the wrong mailing list.

/ Jonas

Received on Wednesday, 16 July 2008 22:36:22 UTC