Access Control for Cross-site Requests

We want cross-site requests for XBL, XSLT, HTML 5 <event-source>, XMLHttpRequest, and probably more…

The GET Solution

• Check Acces-Control HTTP header
• Check <?access-control?> PI if XML
• Deny or allow access to the contents

Cross-site requests for XBL, XSLT, and <event-source> solved.

The Non-GET (POST, DELETE, …) Solution

• Check authentication request cache
• If no entry in the cache make an authentication request
• If all is good make the desired request
• Apply "The GET Solution" to the response

Authentication request

• Set Method-Check HTTP request header
• Make a GET request
• Apply "The GET Solution" to the response
• …

Authentication request (continued)

• Check the Allow HTTP response header
• Make an authentication request cache entry using the Method-Check-Expires HTTP response header if all is good

Cross-site requests for XMLHttpRequest, and earlier mentioned technologies solved.

http://www.w3.org/TR/access-control/ is not up to date.

Questions?