On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
I’m in time pressure to lock down the header names for Beta 2 to
integrate XDR with AC. It seems no body has objected to Jonas’s
proposal. http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the
change.
I think Anne's email represents the most recent agreement and I don't
think anyone has objected: http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
The change would be:
Instead of checking for "XDomainRequestAllowed: 1" check for "Access-
Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url" where
url matches what was sent in the Origin header.
Regards,
Maciej
Namely,
The changes to support the new Access control model is as follows –
· Change Referer header set in the request to Origin.
· Change the XDomainRequestAllowed header check from it
being “1” to check for Access-Control: allow <*>
In addition, I realized that the discussions we had in the F2F
(tracked by issue 32http://www.w3.org/2008/webapps/track/issues/32)
means that an access control check is now also performed when the
redirect steps are applied to prevent data leakage from intranet
pages. This is different from XDR as we currently do the check in
the final destination for redirection. I think the reason why we did
this in XDR was to allow cross domain resources to move around
easily. That said, I’m not religious about this issue either way.
(Adding my team-mates to hear if they have any concerns). I’ll ask
our dev to make the change, but before that I just wanted to confirm
the AC spec will be updated with this. Currently I couldn’t find
this in the updated spec but I could be wrong.
Thanks,