On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote: > I’m in time pressure to lock down the header names for Beta 2 to > integrate XDR with AC. It seems no body has objected to Jonas’s > proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html > Please let me know if this discussion is closed so we can make the > change. I think Anne's email represents the most recent agreement and I don't think anyone has objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html The change would be: Instead of checking for "XDomainRequestAllowed: 1" check for "Access- Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" where url matches what was sent in the Origin header. Regards, Maciej > > Namely, > The changes to support the new Access control model is as follows – > > · Change Referer header set in the request to Origin. > · Change the XDomainRequestAllowed header check from it > being “1” to check for Access-Control: allow <*> > > In addition, I realized that the discussions we had in the F2F > (tracked by issue 32http://www.w3.org/2008/webapps/track/issues/32) > means that an access control check is now also performed when the > redirect steps are applied to prevent data leakage from intranet > pages. This is different from XDR as we currently do the check in > the final destination for redirection. I think the reason why we did > this in XDR was to allow cross domain resources to move around > easily. That said, I’m not religious about this issue either way. > (Adding my team-mates to hear if they have any concerns). I’ll ask > our dev to make the change, but before that I just wanted to confirm > the AC spec will be updated with this. Currently I couldn’t find > this in the updated spec but I could be wrong. > Thanks,
Received on Saturday, 19 July 2008 00:00:35 UTC