not too important, determining the base URI seems
important enough to justify this.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
fulfilled his actions in a timely and considerate manner.
We have had plenty of telcons for Access Control, close to none (if not
none) attended by Microsoft:
http://www.google.com/search?q=WAF+WG+Access+Control+Voice+Conf
--
Anne van Kesteren
http://annevankesteren.nl/
http
makes more sense to me (and maybe allowing it to be influenced by a flag):
http://lists.w3.org/Archives/Public/public-appformats/2008May/0007.html
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
Hi,
Is everyone leaving Thursday evening or Friday or some people staying
until Saturday/Sunday? I'm trying to book flights and I'm not sure what
return ticket to take.
Cheers,
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
in the tree (or want your code to work whether or not you do).
My proposal is indeed to fix DOM Core.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
of a problem.
Also, technically it is the superior solution, which should take care of 2.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
any changes so in case of a language not
supporting optional arguments I suggest that language picks the version
with the most arguments. I rather not add additional IDL information for
such languages as they're probably a 1% use case.
--
Anne van Kesteren
http://annevankesteren.nl/
http
On Thu, 10 Jul 2008 01:13:52 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:
Anne van Kesteren wrote:
This is exactly how postMessage() works and it seems nice to align
with that.
I am very strongly against this syntax as it gives a false sense of
security. To the point where I don't think
originally proposed this to Lachlan I suggested making it a feature
for non-ECMAScript implementations. I agree that making it optional is not
good.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Mon, 14 Jul 2008 21:30:18 +0200, Boris Zbarsky [EMAIL PROTECTED] wrote:
Anne van Kesteren wrote:
How do I select all the inline SVG images on the page?
div svg, p svg
though it's not quite as thorough as your solution.
Offhand, you're missing td, span, body to cover any sort
van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
be
fine I think.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Fri, 08 Aug 2008 11:20:44 +0200, Julian Reschke [EMAIL PROTECTED]
wrote:
Anne van Kesteren wrote:
On Fri, 08 Aug 2008 08:28:48 +0200, Jonas Sicking [EMAIL PROTECTED]
wrote:
Anne van Kesteren wrote:
My plan is to simply require Access-Control-Allow-Origin to hold the
ASCII
-Control-Allow-Origin to have the same value as Origin.
(It seems that Ian has used this approach for WebSocket as well.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
the arguments about this being too complex to implement).
Seems like an argument to drop the redundant childElementCount attribute...
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
just reference DOM Level 2 Core? There's a lot in DOM Level 3 Core
that's not really implemented yet or necessarily desirable.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
things simpler that seems better.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Tue, 15 Jul 2008 01:02:58 +0200, Anne van Kesteren [EMAIL PROTECTED]
wrote:
Since implementations need answers to various open issues soonish and
I'm leaving on vacation roughly two days from now I'll propose various
solutions here and try to integrate them in drafts later on:
I made
draft is (still) here:
http://dev.w3.org/2006/waf/access-control/
Kind regards,
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
in mind (or knew about it).
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Mon, 11 Aug 2008 00:57:15 +0200, Anne van Kesteren [EMAIL PROTECTED]
wrote:
For when I next edit this draft (hopefully soon):
* Origin header shouldn't point to the origin definition.
* Exception codes need to be changed. (See XMLHTttpRequest Level 1.)
* Upload notifications
On Thu, 04 Sep 2008 14:08:02 +0200, Anne van Kesteren [EMAIL PROTECTED]
wrote:
http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ contains edits needed
for this, as well as some other clarifications and updates from
XMLHttpRequest Level 1.
In fact, it might be worth publishing another copy
.
Thanks!
For reference, this was in reply to:
http://lists.w3.org/Archives/Public/public-webapps/2008AprJun/0381.html
http://lists.w3.org/Archives/Public/public-webapps/2008AprJun/0398.html
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
an associated send() flag...
Fixed, thanks. (Changed the list by the way from public-webapi to
public-webapps.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
) by the specification.
Given that interoperability on encoded-word is very poor I suggest we keep
it that way.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
that are
necessary.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Fri, 05 Sep 2008 14:42:45 +0200, Boris Zbarsky [EMAIL PROTECTED] wrote:
Anne van Kesteren wrote:
On Fri, 05 Sep 2008 09:43:29 +0200, Jonas Sicking [EMAIL PROTECTED]
wrote:
http://foo.com
and
http://foo.com:80
are the same origin but have different string representations.
Yes, authors
, no? That is, if load/abort/error are
dispatched as the default action of loadend/done/..., of which I'm not
sure it's a good idea.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
setRequestHeader()...
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
for not putting it there
at all unless the media type is text or it is already present makes some
sense though.
In any case, my other example (JavaScript) remains.
Is that being transmitted over XMLHttpRequest? And using a media type
Internet Explorer does not support for ECMAScript?
--
Anne van
On Fri, 19 Sep 2008 23:26:23 +0200, Boris Zbarsky [EMAIL PROTECTED] wrote:
Anne van Kesteren wrote:
Well, correcting charset is fine. The suggestion for not putting it
there at all unless the media type is text or it is already present
makes some sense though.
I might be convinced
Updated draft:
http://dev.w3.org/2006/waf/access-control/
On Mon, 15 Sep 2008 17:08:20 +0200, Jonas Sicking [EMAIL PROTECTED] wrote:
Anne van Kesteren wrote:
It also seems arbitrary that depending on registered event listeners
(also specifically before invoking send()) the server needs
On Thu, 25 Sep 2008 19:12:54 +0200, Anne van Kesteren [EMAIL PROTECTED]
wrote:
On Thu, 25 Sep 2008 19:01:57 +0200, Jonas Sicking [EMAIL PROTECTED]
wrote:
We'd also need to do it if 'load' has been registered. I would in
general say that we should force it if any events have been
registered
On Mon, 29 Sep 2008 18:03:43 -0400, Jonas Sicking [EMAIL PROTECTED] wrote:
Anne van Kesteren wrote:
Then I'll specify the former as special casing those methods here is
something I rather not do. I'd much rather have addEventListener,
addEventListenerNS, onprogress, etc. work consistently
' as well,
Why is that?
so why not also 'loadstart' and 'error'.
We could do that I suppose. It would require doing an origin check before
returning on send() in the asynchronous case, but that shouldn't be much
of an issue.
--
Anne van Kesteren
http://annevankesteren.nl/
http
this draft is in flux, but it has one important
feature that a previous version of this draft didn't have, namely a link
to the Latest Editor Version, right at the top.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
.
It would be nice to have access to the raw byte stream, as authors
currently use ugly hacks to get to it, but higher level support for byte
streams is somewhat of a prerequisite.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Fri, 03 Oct 2008 14:10:43 +0200, Anne van Kesteren [EMAIL PROTECTED]
wrote:
Since Jonas didn't e-mail about this I thought I would. Say
http://x.example/x does a request to http://y.example/y.
http://y.example/y redirects to http://x.example/y. If this request were
to use the Access
works ok in practice.
Yeah, some collegues suggested it could indeed be as simple as
CanvasPixelArray. Would be good to hear what the ECMAScript guys think.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
the credentials flag
part of the primary key everywhere.
Indeed. It didn't seem to be worth the trouble to optimize for public non
credentialed requests for URLs that already have a credentialed cache
entry.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
of is the editor's draft of XMLHttpRequest Level 1 (aka The
XMLHttpRequest Object) and the other is for XMLHttpRequest Level 2.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
-message-headers/current/msg00094.html
This is all just provisional registration for what it's worth. Permanent
registration happens when the draft becomes a Recommendation.
Kind regards,
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
be able to change its
origin property to use the string null in these cases too.
If HTML5 were to change Access Control would also automatically change.
However, browsers are already deploying this. Then again, I haven't
actually tested if any browser does Origin correctly yet.
--
Anne van
starts to happen on the IETF headers mailing listthat needs addressing...
PS: I haven't yet reviewed what Jonas and Arthur have suggested. I will
try to get on that soonish.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
for now although the list is sort
of open for modification.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On product: XHR2
XHR2/upload should probably have onloadend attribute.
The spec should also mention when to dispatch loadend (maybe it is
enough to refer to Progress Events spec)
What is the use case for loadend?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
. The ability to split up a large file
in a number of smaller files so you can e.g. resume upload if something
goes wrong from a particular point was important.
Everyone was ok with having access to the file data be asynchronous as far
as I could tell.
--
Anne van Kesteren
http
On Thu, 23 Oct 2008 13:21:37 +0200, Anne van Kesteren [EMAIL PROTECTED]
wrote:
On Thu, 23 Oct 2008 13:13:33 +0200, Web Applications Working Group Issue
Tracker [EMAIL PROTECTED] wrote:
XHR2/upload should probably have onloadend attribute.
The spec should also mention when to dispatch
? I.e. why would you want to
prevent abort/error/load from firing?
I do like the symmetry in the current proposal where loadstart is the
first thing that fires, and loadend is the last thing. Seems very
intuitive.
I agree that dispatching loadend last makes sense.
--
Anne van Kesteren
http
not be thrown during the open()
method invocation as the specification requires?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Sun, 23 Nov 2008 18:13:41 +0100, Hallvord R. M. Steen
[EMAIL PROTECTED] wrote:
On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren [EMAIL PROTECTED]
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new
December 18 sounds good to me.
Kind regards,
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
for Selectors-API:
what module/java-package will it be in?
I'd hope non-ECMAScript languages have a better API for dealing with HTTP
:-) In other words, does it really matter?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
are not enforced (per
specification), yet are RFC 2119 MUST requirements in their respective
specifications. (Though in case of scripting MUST requires solving a
certain unsolvable problem, so maybe MUST is not that appropriate...)
--
Anne van Kesteren
http://annevankesteren.nl/
http
/show_bug.cgi?id=380418
This is the exact same approach Opera has been following for a while. I
have made this a requirement in the XMLHttpRequest specifications (the
draft versions, of course).
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
the httponly cookie note as it
is no longer necessary.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Tue, 25 Nov 2008 21:18:44 +0100, Olli Pettay [EMAIL PROTECTED]
wrote:
Hi Anne,
it would be great to get the 50ms to the draft spec ;)
Fixed! (Been away for a while, hence the delay.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
this. It makes the IDL unreadable in my
opinion and I believe it is not required in Web IDL (and if it is we
should change that :-)).
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Wed, 10 Dec 2008 16:04:08 +0100, Anne van Kesteren [EMAIL PROTECTED]
wrote:
On Sun, 07 Dec 2008 23:14:34 +0100, Kartikaya Gupta
[EMAIL PROTECTED] wrote:
The editor's draft of the XHR spec doesn't say when to clear the error
flag. Based on experimentation I'm guessing it's supposed
assume you're sticking with your plan of not
specifying a module/namespace?
It seems like clutter to me. Can't we have a default module all W3C
specifications use unless otherwise specified?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
for actual header values, and make some sensible
rules from that.
It also says that UAs should have an Accept header of */* when they supply
one. Does the server still give XML back in that scenario?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
is)
But most Web authors know Selectors (from CSS), but hardly know XPath.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
header be renamed to something other than Origin.
I'm fine with renaming it to Access-Control-Request-Origin as far as the
Access Control draft is concerned.
Maciej, Sam, Adam?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
, they're just opague strings, but at least making it more
clear what the specification is about might help people.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
://www.rfc-editor.org/rfc/rfc3864.txt
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
will most definitely not change and I wasn't planning on changing the
names of definitions either, to be honest.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
of the API. (Of course, the
semantics would be identical to what they are now.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
the difference.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
to site C,
the UA adds the header Origin: A, B
This would mean significant changes to the draft which would not work well
for Microsoft. Renaming I would like to consider, changing the semantics
drastically seems out of order at this point.
--
Anne van Kesteren
http
, things like
https://google.com and http://google.com
are same domain, but definitely not same origin. The distinction is pretty
important.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
Hi Adam,
I heard you might be going to work on an IETF draft for the Origin header
which both HTML5 and CORS (formerly access-control) could reference? Is
that still planned?
Kind regards,
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
for the draft is. For me it does not really matter where the
Origin header is defined, although I suppose it would help HTML5 in a
technical sense if it was defined in a standalone draft (although I
suspect that HTML5 will have to depend on CORS anyway for some of its
features).
--
Anne van
this? It might help to outline that in the draft.
Thanks for working on this by the way!
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
interfaces will be in? That would save a lot of
redundant data in the primary user of this specification, namely W3C
specifications extending the dom module.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
the
API more complex is not worth it.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
/2006/waf/access-control/#access-control-allow-origin-header
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
on the wording
in the latest draft:
http://dev.w3.org/2006/waf/access-control/
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Mon, 09 Feb 2009 14:25:37 +0100, Thomas Roessler t...@w3.org wrote:
On 9 Feb 2009, at 13:57, Anne van Kesteren wrote:
* There was a logic error in the cache processing model.
I wonder whether that part of the spec is actually being implemented (or
found useful by implementors
it makes actual sense to use
inheritance.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
I took a stab at ACTION-11 which is currently assigned to Maciej:
http://www.w3.org/2008/webapps/track/actions/11
http://dev.w3.org/2006/waf/access-control/#use-cases
If this is good enough I suggest we close the action.
--
Anne van Kesteren
http://annevankesteren.nl/
http
/CR-xbl-20070316/#security
and maybe some discussion with Ian regarding this. It's been a while.
Does that help?
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
are dispatched is because
Internet Explorer already did that.
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
it a
recommendation in the specification (i.e. a should-level requirement).
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
IDL anyway.)
--
Anne van Kesteren
http://annevankesteren.nl/
http://www.opera.com/
On Fri, 13 Feb 2009 04:57:19 +0900, Jonas Sicking jo...@sicking.cc wrote:
On Thu, Feb 12, 2009 at 8:19 AM, Anne van Kesteren ann...@opera.com
wrote:
The specification does not state it yet, but it has been suggested that
the maximum time any cache entry can persist in the preflight result
Here is an update on my last status messsage.
On Mon, 09 Feb 2009 21:43:54 +0900, Anne van Kesteren ann...@opera.com
wrote:
[...]
I would very much appreciate it if people involved in CORS (and other
interested parties of course) can read through this e-mail and share
their thoughts
On Mon, 09 Feb 2009 21:57:47 +0900, Anne van Kesteren ann...@opera.com
wrote:
After renaming the specification I decided to go through the normative
parts of the specification again to clean various things up and resolve
some outstanding issues. Since the October 6 editor's draft (last
On Wed, 25 Feb 2009 14:34:19 +0900, David Levin le...@chromium.org wrote:
Just to round out the thread :), I fixed my test for IE and found that
IE7 also throws an exception in this case.
So all is good, right? :-)
--
Anne van Kesteren
http://annevankesteren.nl/
.org/mid/op.upwgh60b64w...@annevk-t60.oslo.opera.com
I closed them apart from the action assigned to you.
--
Anne van Kesteren
http://annevankesteren.nl/
but lower case
here.
Media types are ASCII case-insensitive. E.g. if someone does
setRequestHeader(Content-type, TEXT/Plain)
that should just work.
--
Anne van Kesteren
http://annevankesteren.nl/
events will only be dispatched if a
preflight request was made.
--
Anne van Kesteren
http://annevankesteren.nl/
want to do normalization of media types it seems better to do that
in XMLHttpRequest, no?
--
Anne van Kesteren
http://annevankesteren.nl/
misunderstands the HTTP protocol
by treating all redirects as redirects of the request, whereas many of
them are just redirects of the response.
Fair enough. Do you have specific suggestions for how we should handle
them instead?
--
Anne van Kesteren
http://annevankesteren.nl/
On Mon, 16 Mar 2009 11:12:01 -, Anne van Kesteren ann...@opera.com
wrote:
On Mon, 16 Mar 2009 12:07:22 +0100, Alexey Proskuryakov a...@webkit.org
wrote:
I think that the algorithm can only compare MIME types, not the full
Content-Type string.
I guess that makes sense.
I made
not been checked prior to the request. I think doing what the
specification suggests here is safest.
Overall, I still think that the only change we possibly want to make is
for preflight requests. I'd appreciate feedback!
--
Anne van Kesteren
http://annevankesteren.nl/
On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren ann...@opera.com
wrote:
* cross-origin request with preflight, actual request
If we want to follow redirects here at all we can only do it for
requests that do not require a preflight. Therefore I'm still not quite
convinced that we
On Tue, 17 Mar 2009 21:56:52 +0100, Anne van Kesteren ann...@opera.com
wrote:
On Tue, 17 Mar 2009 21:50:21 +0100, Anne van Kesteren ann...@opera.com
wrote:
* cross-origin request with preflight, actual request
If we want to follow redirects here at all we can only do it for
requests
1 - 100 of 1635 matches
Mail list logo
