Re: [access-control] Proposal from Anne van Kesteren on 2008-08-26 (public-webapps@w3.org from July to September 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 26 Aug 2008 15:11:38 +0200
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.ughv9ovt64w2qv@annevk-t60.oslo.opera.com>

On Tue, 15 Jul 2008 01:02:58 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> Since implementations need answers to various open issues soonish and  
> I'm leaving on vacation roughly two days from now I'll propose various  
> solutions here and try to integrate them in drafts later on:

I made the changes to the Access Control for Cross-Site Requests  
specification as described below. From discussion it seemed that everyone  
could agree to this fortunately. (Although there was some discussion on  
whether or not the Access-Control-Allow-Origin value syntax needed  
changing.)

> HEADER NAMES
>
> Access-Control-Origin -> Access-Control-Allow-Origin
>
> Access-Control-Credentials -> Access-Control-Allow-Credentials
>
>
> HEADER SYNTAX
>
> Parsing Access-Control-Allow-Origin will have a check to ensure that  
> <path> is empty. If it is non-empty the network error steps will be  
> applied. We keep the separate header for credentials to keep the origin  
> concept orthogonal from the credentials flag.

This changed to become a simple string comparison. Effectively, between  
the value of Origin and Access-Control-Allow-Origin.


> CROSS-SITE POST
>
> We limit the amount of Content-Type header values people can set for the  
> simple cross-site POST request to those you can use with HTML forms  
> today. This list will not become a fixed list until we work out how  
> Access Control for Cross-Site Requests will work together with HTML5  
> forms.


I have not yet made this change to XMLHttpRequest Level 2, but the Access  
Control specification does support the architecture required for it:

> XMLHTTPREQUEST API FLAG
>
> The XMLHttpRequest interface will gain a withCredentials boolean DOM  
> attribute. The value of that attribute is used during send() and stored  
> "in memory" when send() is invoked so an event listener dispatched  
> between send() being invoked and the request happening cannot change it.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 26 August 2008 13:12:13 UTC