Re: [access-control] Update

[Jonas Sicking]

Anne van Kesteren wrote:


On Thu, 10 Jul 2008 01:13:52 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:

Anne van Kesteren wrote:
 This is exactly how postMessage() works and it seems nice to align 
with that.


I am very strongly against this syntax as it gives a false sense of 
security. To the point where I don't think I'd be willing to implement 
it in firefox. The fact that postMessage allows this sounds very 
unfortunate and something that I will look into fixing in that spec.


Let me know how that works out. postMessage() is shipping already in 
various implementations...


I will keep you updated.

Until then I very strongly feel we need to change the parsing rules to 
refer to rfcs 3986 and 3490 the way the previous draft did.


Additionally, the way the spec was written before we could create a 
conformat implementation now without having to worry about HTML5 
changing things under us.


Well, in the end we want all those concepts implemented in the same 
way everywhere, right? So I'm not sure how this matters.


So why not let HTML5 refer to Access-Control?


I don't really see how that would work.


Access-Control can define how to parse the 'origin' part of the URI and 
HTML5 can refer to that. Or they can both refer to the same RFCs.


/ Jonas

Re: [access-control] Update

[Jonas Sicking]

Anne van Kesteren wrote:
 * Access-Control is now Access-Control-Origin which takes * or a URL. 
In other words, whether or not a site grants access is simplified *a 
lot*. Implementors who told me this was the most complex part to 
implement can rejoice. This also makes this specification consistent 
with Web Sockets and postMessage(), both defined in HTML5. 
(Access-Control-Origin is not to be confused with the old 
Access-Control-Origin, which is now Origin.)


 * Access-Control-Credentials provides an opt in mechanism for 
credentials. Whether or not credentials are included in the request 
depends on the credentials flag, which is set by a hosting 
specification. Preflight requests are always without credentials.


An alternative syntax I've been thinking about for opting in to cookies is:

Access-Control: allow-with-credentials http://foobar.com

There are a couple of advantages to this syntax. First of all it keeps 
down the number of headers. Second, and more importantly, it cleanly 
disallows opting in to cookies while wildcarding. We'd simply make the 
syntax for the header


Access-Control: Access-Control : allow-rule | allow-with-cred-rule
allow-rule: allow  (URL | *) 
allow-with-cred-rule: allow-with-credentials  URL 

One, albeit not big, issue with the current proposal is that it allows 
someone to say.


Access-Control-Origin: *
Access-Control-Allow-Credentials: true

which is somewhat unfortunate. While this can be defined to be rejected 
by an implementation that supports the Access-Control-Allow-Credentials 
header. An implementation like XDR which doesn't will still allow the 
syntax.


/ Jonas