Re: XDomainRequest Integration with AC from Maciej Stachowiak on 2008-07-20 (public-webapps@w3.org from July to September 2008)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 19 Jul 2008 21:31:39 -0700
To: Jonas Sicking <jonas@sicking.cc>
Cc: Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-Id: <04C1A736-F9EE-4503-BCEE-551619AC2135@apple.com>

On Jul 18, 2008, at 11:15 PM, Jonas Sicking wrote:

> Maciej Stachowiak wrote:
>> On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
>>> I’m in time pressure to lock down the header names for Beta 2 to  
>>> integrate XDR with AC. It seems no body has objected to Jonas’s  
>>> proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
>>> Please let me know if this discussion is closed so we can make the  
>>> change.
>> I think Anne's email represents the most recent agreement and I  
>> don't think anyone has objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
>> The change would be: Instead of checking for  
>> "XDomainRequestAllowed: 1" check for "Access-Control-Allow-Origin:  
>> *" or "Access-Control-Allow-Origin: url" where url matches what was  
>> sent in the Origin header.
>
> So I have one final request for a change to the above syntax.
>
> How would people feel about the syntax
>
> Access-Control-Allow-Origin: <url>

I don't think the angle brackets are necessary for forward compat,  
since we can just disallow spaces from the URL.

  - Maciej

>
>
> This would give us at least something for a forwards compatibility  
> story if we wanted to add to the syntax in future versions of the  
> spec. I really think we are being overly optimistic if we think that  
> the current syntax is the be-all end-all syntax that we'll ever want.
>
> For example during the meeting we talked about that banks might want  
> to enforce that the requesting site uses a certain level of  
> encryption, or even a certain certificate. A syntax for that might be:
>
> Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
>
> Or that the site in question uses some opt-in XSS mitigation  
> technology (such as the one drafted by Brandon Sterns in a previous  
> thread in this WG). This could be done as
>
> Access-Control-Allow-Origin: origin <https://foo.com> require-xss- 
> protection
>
> So the formal syntax would be
>
> "Access-Control-Allow-Origin:" "<" ("*" | url) ">"
>
> / Jonas
>
> / Jonas

Received on Sunday, 20 July 2008 04:32:20 UTC