W3C home > Mailing lists > Public > www-archive@w3.org > June 2010

Re: CfC: Candidate Recommendation of XMLHttpRequest; deadline June 30

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 29 Jun 2010 17:01:23 +0200
To: art.barstow@nokia.com, "Thomas Roessler" <tlr@w3.org>
Cc: "'www-archive'" <www-archive@w3.org>
Message-ID: <op.ve2hb6dd64w2qv@annevk-t60>
On Tue, 22 Jun 2010 14:06:23 +0200, Thomas Roessler <tlr@w3.org> wrote:
> no news that I'd be aware of.
>
> Anne, can you take a first stab at the security considerations?  As I  
> said earlier, I'm available to review things, but don't have the  
> bandwidth to do significant writing this week.

I read through the original thread again (several times, I might add) and  
I'm still not sure what needs to be written down.

http://lists.w3.org/Archives/Public/public-webapps/2010JanMar/thread.html#msg202

CONNECT, TRACK, and TRACE already have references with detailed  
explanations.

DNS rebinding is a generic problem.

setRequestHeader no longer mentions security reasons.

HTTP redirects simply follow the same policy as normal requests.

Origin is also a generic problem. I suspect we'll switch references from  
HTML5 to the origin specification in due course.

The SHOULD/MUST confusion has been addressed too.


The original thread concluded with looking for volunteers for certain  
aspects and the question as to whether a generic document was needed. I  
have attempted to clarify matters somewhat in the specification for  
setRequestHeader. Other than that I believe said volunteers have not been  
found. A document has not been written either. It has now been almost six  
months. We can continue looking I suppose, and we probably should, but at  
some point we have to cut our losses and move on.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 29 June 2010 15:02:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:33:50 UTC