Jonas Sicking wrote:
Maciej Stachowiak wrote:
On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
I’m in time pressure to lock down the header names for Beta 2 to
integrate XDR with AC. It seems no body has objected to Jonas’s
proposal.
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the
change.
I think Anne's email represents the most recent agreement and I don't
think anyone has objected:
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
The change would be:
Instead of checking for "XDomainRequestAllowed: 1" check for
"Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin: url"
where url matches what was sent in the Origin header.
So I have one final request for a change to the above syntax.
How would people feel about the syntax
Access-Control-Allow-Origin: <url>
This would give us at least something for a forwards compatibility story
if we wanted to add to the syntax in future versions of the spec. I
really think we are being overly optimistic if we think that the current
syntax is the be-all end-all syntax that we'll ever want.
For example during the meeting we talked about that banks might want to
enforce that the requesting site uses a certain level of encryption, or
even a certain certificate. A syntax for that might be:
Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
Or that the site in question uses some opt-in XSS mitigation technology
(such as the one drafted by Brandon Sterns in a previous thread in this
WG). This could be done as
Access-Control-Allow-Origin: origin <https://foo.com>
require-xss-protection
So the formal syntax would be
"Access-Control-Allow-Origin:" "<" ("*" | url) ">"
We might also want to consider simply calling the header
Access-Control-Allow
Since the above future expansions would make the header not just contain
the origin, but also further restrictions on the origin.
/ Jonas