- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 13 Sep 2008 13:37:10 +0200
- To: "WebApps WG" <public-webapps@w3.org>
Hi, Yesterday the WebApps WG published a new version of the Access Control for Cross-Site Requests specification: http://www.w3.org/TR/2008/WD-access-control-20080912/ Comments are welcome on this mailing list (public-webapps@w3.org) with a Subject starting with "[access-control] ". This draft includes the changes decided upon during the Seattle F2F as well as some further changes as discussed on this mailing list, which I'll try to summarize here: * <?access-control?> removed. * Access-Control-Policy-Path removed. * Method check is now simply known as preflight request. * The Access-Control-Origin request header is now called Origin. * Access-Control is renamed to Access-Control-Allow-Origin and takes a simple origin or wildcard. (Access item is therefore gone too.) * Introduced the Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Request-Method, and Access-Control-Request-Headers so sites can carefully opt in to HTTP methods and HTTP request headers. * Simple GET and POST requests can only use a limited amount of request headers and the Content-Type header is even further restricted to a number of media types HTML form submission takes. * The protocol is rethought in such a way that XDomainRequest can use it. If you wish more detail you can study the CVS checkins that should have reasonable accurate summaries (checkins 1.170 to 1.190): http://dev.w3.org/cvsweb/2006/waf/access-control/Overview.src.html Please note that the TR/ version of XMLHttpRequest Level 2 has not yet been updated to incorperate the revised protocol. Implementors are advised to use the editor drafts instead: http://dev.w3.org/2006/waf/access-control/ http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Saturday, 13 September 2008 11:37:51 UTC