Re: XDomainRequest Integration with AC

Maciej Stachowiak wrote:
> 
> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
> 
>> I’m in time pressure to lock down the header names for Beta 2 to 
>> integrate XDR with AC. It seems no body has objected to Jonas’s 
>> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
>> Please let me know if this discussion is closed so we can make the change.
> 
> I think Anne's email represents the most recent agreement and I don't 
> think anyone has 
> objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
> 
> The change would be: 
> 
> Instead of checking for "XDomainRequestAllowed: 1" check for 
> "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" 
> where url matches what was sent in the Origin header.

So I have one final request for a change to the above syntax.

How would people feel about the syntax

Access-Control-Allow-Origin: <url>

This would give us at least something for a forwards compatibility story 
if we wanted to add to the syntax in future versions of the spec. I 
really think we are being overly optimistic if we think that the current 
syntax is the be-all end-all syntax that we'll ever want.

For example during the meeting we talked about that banks might want to 
enforce that the requesting site uses a certain level of encryption, or 
even a certain certificate. A syntax for that might be:

Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1

Or that the site in question uses some opt-in XSS mitigation technology 
(such as the one drafted by Brandon Sterns in a previous thread in this 
WG). This could be done as

Access-Control-Allow-Origin: origin <https://foo.com> require-xss-protection

So the formal syntax would be

"Access-Control-Allow-Origin:" "<" ("*" | url) ">"

/ Jonas

/ Jonas

Received on Saturday, 19 July 2008 06:15:47 UTC