XDomainRequest Integration with AC from Sunava Dutta on 2008-07-18 (public-webapps@w3.org from July to September 2008)

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Fri, 18 Jul 2008 16:20:59 -0700
To: "annevk@opera.com" <annevk@opera.com>, "jonas@sicking.cc" <jonas@sicking.cc>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>
CC: "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B748310C815E8269@NA-EXMSG-W601.wingroup.windeploy.ntd>

I'm in time pressure to lock down the header names for Beta 2 to integrate XDR with AC. It seems no body has objected to Jonas's proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the change.

Namely,
The changes to support the new Access control model is as follows -


*         Change Referer header set in the request to Origin.

*         Change the XDomainRequestAllowed header check from it being "1" to check for Access-Control: allow <*>

In addition, I realized that the discussions we had in the F2F (tracked by issue 32 http://www.w3.org/2008/webapps/track/issues/32) means that an access control check is now also performed when the redirect steps are applied to prevent data leakage from intranet pages. This is different from XDR as we currently do the check in the final destination for redirection. I think the reason why we did this in XDR was to allow cross domain resources to move around easily. That said, I'm not religious about this issue either way. (Adding my team-mates to hear if they have any concerns).  I'll ask our dev to make the change, but before that I just wanted to confirm the AC spec will be updated with this. Currently I couldn't find this in the updated spec but I could be wrong.
Thanks,

Received on Friday, 18 July 2008 23:21:45 UTC