+1. This all looks really good from a simplification perspective for the current requirements.
Cheers, Dave > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ian Hickson > Sent: Friday, February 08, 2008 10:37 AM > To: Jonas Sicking > Cc: WAF WG (public) > Subject: Re: Simplifying the AC spec > > > On Fri, 8 Feb 2008, Jonas Sicking wrote: > > > > I propose that we remove both the Method-Check header, and > the list of > > methods from the Access-Control header. > > I support this. > > > > Thomas Roessler pointed out that 1 is better solved by > simply stopping > > all requests that included a Referer-Root header. This > could be done > > on a server level and would also stop any cached OPTIONS > requests from > > making unsafe actions reach a CGI script. [Thus I propose > dropping the > > deny rules.] > > I support that too. > > > > I like this idea a lot. The only problem is that I'm > worried that the > > Referer-Root header might get picked up by other specs due to its > > usefulness and generic name. However if we specified that > Referer-Root > > should only ever be included in cross-site request, then > that should > > mitigate that problem. In fact, i've wanted to add a header for > > cross-site image and script loads to allow the server to > reject these > > more easily. (That would of course not be part of this spec). > > I agree this this is a problem. I think if we remove the > "deny" rule and say that Referer-Root is the way to detect > third-party access, we should rename the header to be > absolutely clear as to what is going on. > > I recommend the name Access-Control-Origin. > > At this point it would make sense to rename the > Method-Check-* headers too. I recommend changing the > "Method-Check-" part to "Access-Control-", so that the headers are: > > On requests from a client: > Access-Control-Origin > > On responses to OPTIONS when the policy is elsewhere: > Access-Control-Policy-Path > > On all other responses: > Access-Control > Access-Control-Max-Age > Access-Control-Policy-Path > > -- > Ian Hickson U+1047E > )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ > _\ ;`._ ,. > Things that are impossible just take longer. > `._.-(,_..'--(,_..'`-.;.' > >
