Re: Access Control for Cross-site Requests WD Published

Fri, 15 Feb 2008 08:15:26 -0800 


A couple comments:
1. Why for non same-origin requests, are users limited to only setting "Accept" and "Accept-Language" HTTP headers. Couldn't we allow a larger set of safe headers to be included? At least one could define a prefixed set of allowable headers (like users could set headers "Cross-*"). This seems an excessive restraint and prevents some very useful functionality.
2. Can non-GET access only be granted as a response to user agent OPTION requests? Is there a reason that servers can't preemptively include access control headers (including policy path and max age) in GET responses to grant future non-GET request? Since most non-GET requests will probably be preceded by GET requests, it seems like user agents could more efficiently determine access level if prior responses explicity granted access. Of course, using the OPTION requests as outlined in the WD would still be appropriate if prior responses (if any) had not granted access.
This second question is not a big deal, the first one is more important to me. I am sorry if this already been discussed, I couldn't find anything such discussions in the archives. 

Thanks,
Kris
----- Original Message ----- From: "Anne van Kesteren" <[EMAIL PROTECTED]> 
To: "WAF WG (public)" <[email protected]>
Sent: Friday, February 15, 2008 7:37 AM
Subject: Access Control for Cross-site Requests WD Published




Hi all,
The WAF WG published a new snapshot of the editor's draft of Access Control for Cross-site Requests yesterday in the W3C Technical Report space. It includes recent HTTP header name changes and incorporates a new proposal for limiting the amount of requests in case of non-GET methods to various different URIs which share the same origin.
In addition to those technical changes it also makes the (until now) implicit requirements and use cases explicit by listing them in an appendix and contains a short FAQ on design decisions. 

  http://www.w3.org/TR/2008/WD-access-control-20080214/
We expect the next draft to go to Last Call so hereby we're soliciting input, once again, from the Forms WG, HTML WG, HTTP WG, TAG, Web API WG, and Web Security Context WG. (All on the "bcc list" so we don't get massive cross-list e-mailing.)
We appreciate input from anyone however, so feel free to forward or reply to this e-mail as you see fit. 

Kind regards,


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Reply via email to