Hi folks,
As requested (at least by myself :)) here is the list of things where
security policies in firefox might be "overriding" what the spec
currently says:
1. Cookies
For some requests we might not send cookies depending on user
preferences and user choices. For example one setting we have allows the
user to be asked for each cross-site request weather cookies should be
included in the request or not. So each request might behave differently
depending on what the user chooses.
This currently only applies to cookies and not other authentication
mechanisms. However it's possible that it will apply to other mechanisms
in the future.
2. Banning certain servers
I think we have extensions that cause all connections to certain servers
to always fail.
3. Banning internet to intranet connections
Hopefully in the future we will implement a policy that allows servers
from the internet to connect to private IP ranges such as 192.168.x.x.
This will apply to all types of requests which includes AC requests.
Similarly, I would expect microsoft to want to apply their zone features
to prevent sites from some zones to connect to sites from some other zones.
4. Banning connections to local file system
This doesn't really apply any more since we no longer have the
processing instruction. But firefox has a general policy not to allow
web sites to access resources from the local file system. This policy
will apply to Access-Control connections as well. Especially if we in
the future add something like the PI.
5. Banning HTTPS to HTTP connections
I'm not sure if we have policies about this right now, but I know we
will in the future. Under certain conditions we will deny a HTTPS site
from connecting to any HTTP sites, or possibly even any site that uses a
different certificate than the original site.
(2,3,4,5 can be simlified as saying that we might by policy deny some
requests, even if the spec would otherwise allow it)
6. Banning certain headers
This might not apply to the AC spec any more if we have (or will) remove
the header blacklist. But it's possible that in the future we'll
discover other headers that should be blacklisted, even if the site opts
in to supporting it.
7. Cache eviction
As we talked about a lot at the F2F we'll likely in certain cases evict
things from the OPTSIONS cache even before the spec says to do so.
These are the things that I can think of off the top of my head. It's
entirely possible that there is more though.
/ Jonas
