Re: [AC] Defining cookieless requests from Anne van Kesteren on 2008-10-03 (public-webapps@w3.org from October to December 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 03 Oct 2008 14:29:50 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Webapps WG" <public-webapps@w3.org>
Message-ID: <op.uif7n0ki64w2qv@annevk-t60.oslo.opera.com>

On Thu, 02 Oct 2008 01:24:34 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> I think it would be good if we more explicitly could define the two,  
> with cookies vs. without cookies, security modes for Access-Control.
>
> Right now the spec talks about the with-credentials flag either being  
> true or false, however it doesn't really receive as much attention as  
> for example simple vs. preflighted requests.

That's because simple vs. preflight requests affect a lot of things.  
Whether or not cookies are included doesn't really.

> Second, it would allow implementations such as Microsofts XDR (if they  
> end up supporting Access-Control) to more precisely talk about which  
> parts of the spec they use.

As far as I can tell they can be really precise on that already.

XDomainRequest "invokes" cross-site access request with a request URL as  
given, request method as given (though can only be GET or POST), request  
headers as given (though only Content-Type can be set, and only to a  
restricted list of values as I understand it), request entity body as  
given, source for source origin as how IE determines the origin for  
XDomainRequest, a credentials flag set to false, a force preflight flag  
set to false.

The logical result of this is that with XDomainRequest not everything of  
Access Control is exposed, but that's not a problem. That's perfectly fine  
and allowed by the Access Control specification.

I actually posted about this long ago and never received any feedback so I  
assumed it was fine:

   http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0035.html

(Note that we did change the header name servers have to return since that  
message.)

> One way to talk about this is as requests for public versus private  
> resources. This is definitely something we should talk about in the  
> Security Considerations section (which in general seems to be missing a  
> part about servers). We should also talk about it in the Processing  
> Model section.

Yeah, some clarifications around the credentials flag would be appropriate.

> Let me know what you think.

I don't think it's needed.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 3 October 2008 12:30:35 UTC