Search This Blog

Wednesday, February 20, 2008

Access Control for Cross-site Requests

W3C announced that the Web Application Formats (WAF) Working Group has
released a new snapshot of the editor's draft of "Access Control for
Cross-site Requests." The WAF Working Group is part of the Rich Web
Clients Activity in the W3C Interaction Domain. It includes recent
HTTP header name changes and incorporates a new proposal for limiting
the amount of requests in case of non-GET methods to various different
URIs which share the same origin. In addition to those technical
changes it also makes the (until now) implicit requirements and use
cases explicit by listing them in an appendix and contains a short
FAQ on design decisions. Summary: "In Web application technologies
that follow this pattern, network requests typically use ambient
authentication and session management information, including HTTP
authentication and cookie information. This specification extends
this model in several ways: (1) Web applications are enabled to
annotate the data that is returned in response to an HTTP request with
a set of origins that should be permitted to read that information by
way of the user's Web browser. The policy expressed through this set
of origins is enforced on the client. (2) Web browsers are enabled to
discover whether a target resource is prepared to accept cross-site
HTTP requests using non-GET methods from a set of origins. The policy
expressed through this set of origins is enforced on the client. (3)
Server side applications are enabled to discover that an HTTP request
was deemed a cross-site request by the client Web browser, through
the Access-Control-Origin HTTP header. This extension enables server
side applications to enforce limitations on the cross-site requests
that they are willing to service. This specification is a building
block for other specifications, so-called hosting specifications,
which will define the precise model by which this specification is
used. Among others, such specifications are likely to include
XMLHttpRequest Level 2, XBL 2.0, and HTML 5 (for its server-sent
events feature). According to the editor's note: "We expect the next
draft to go to Last Call so hereby we're soliciting input, once again,
from the Forms WG, HTML WG, HTTP WG, TAG, Web API WG, and Web Security
Context WG..."

No comments: