Jonas Sicking wrote:
Jonas Sicking wrote:
Maciej Stachowiak wrote:
On Jul 18, 2008, at 4:20 PM, Sunava Dutta wrote:
I’m in time pressure to lock down the header names for Beta 2 to
integrate XDR with AC. It seems no body has objected to Jonas’s
proposal.
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0175.html
Please let me know if this discussion is closed so we can make the
change.
I think Anne's email represents the most recent agreement and I don't
think anyone has objected:
http://lists.w3.org/Archives/Public/public-webapps/2008JulSep/0142.html
The change would be:
Instead of checking for "XDomainRequestAllowed: 1" check for
"Access-Control-Allow-Origin: *" or "Access-Control-Allow-Origin:
url" where url matches what was sent in the Origin header.
So I have one final request for a change to the above syntax.
How would people feel about the syntax
Access-Control-Allow-Origin: <url>
This would give us at least something for a forwards compatibility
story if we wanted to add to the syntax in future versions of the
spec. I really think we are being overly optimistic if we think that
the current syntax is the be-all end-all syntax that we'll ever want.
For example during the meeting we talked about that banks might want
to enforce that the requesting site uses a certain level of
encryption, or even a certain certificate. A syntax for that might be:
Access-Control-Allow-Origin: origin <https://foo.com> encryption sha1
Or that the site in question uses some opt-in XSS mitigation
technology (such as the one drafted by Brandon Sterns in a previous
thread in this WG). This could be done as
Access-Control-Allow-Origin: origin <https://foo.com>
require-xss-protection
So the formal syntax would be
"Access-Control-Allow-Origin:" "<" ("*" | url) ">"
We might also want to consider simply calling the header
Access-Control-Allow
Since the above future expansions would make the header not just contain
the origin, but also further restrictions on the origin.
Actually, after some further thought on this, even the extra
reststrictions put on the origin, is still about the origin, so keeping
the header name as is is fine with me.
But I do think we should put the '<' '>' around it.
/ Jonas
