Re: XDomainRequest Integration with AC from Jonas Sicking on 2008-07-19 (public-webapps@w3.org from July to September 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 18 Jul 2008 23:27:34 -0700
To: Maciej Stachowiak <mjs@apple.com>
Cc: Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <48818956.4000004@sicking.cc>

Jonas Sicking wrote:
> 
> Maciej Stachowiak wrote:
>>
>> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>>
>>> I’m in time pressure to lock down the header names for Beta 2 to 
>>> integrate XDR with AC. It seems no body has objected to Jonas’s 
>>> proposal. 
>>> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
>>> Please let me know if this discussion is closed so we can make the 
>>> change.
>>
>> I think Anne's email represents the most recent agreement and I don't 
>> think anyone has objected: 
>> http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
>>
>> The change would be:
>> Instead of checking for "XDomainRequestAllowed: 1" check for 
>> "Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" 
>> where url matches what was sent in the Origin header.
> 
> So I have one final request for a change to the above syntax.
> 
> How would people feel about the syntax
> 
> Access-Control-Allow-Origin: <url>
> 
> This would give us at least something for a forwards compatibility story 
> if we wanted to add to the syntax in future versions of the spec. I 
> really think we are being overly optimistic if we think that the current 
> syntax is the be-all end-all syntax that we'll ever want.
> 
> For example during the meeting we talked about that banks might want to 
> enforce that the requesting site uses a certain level of encryption, or 
> even a certain certificate. A syntax for that might be:
> 
> Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
> 
> Or that the site in question uses some opt-in XSS mitigation technology 
> (such as the one drafted by Brandon Sterns in a previous thread in this 
> WG). This could be done as
> 
> Access-Control-Allow-Origin: origin <https://foo.com> 
> require-xss-protection
> 
> So the formal syntax would be
> 
> "Access-Control-Allow-Origin:" "<" ("*" | url) ">"

We might also want to consider simply calling the header

Access-Control-Allow

Since the above future expansions would make the header not just contain 
the origin, but also further restrictions on the origin.

/ Jonas

Received on Saturday, 19 July 2008 06:28:18 UTC