ISSUE-14

opt-into-methods-headers

Opting into methods/headers

State:
CLOSED
Product:
CORS
Raised by:
Anne van Kesteren
Opened on:
2008-06-23
Description:
[[ This issue was created on 2008-06-06 as Issue #27 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database:
<http://www.w3.org/2005/06/tracker/waf/issues/27> ]]

The current Access Control model allows all methods to be used and all headers (apart from a blacklist and some headers require a preflight request in case of GET).

There is a proposal to only allow methods and headers the server has opted into:

 [AC] Helping server admins not making mistakes
 <http://lists.w3.org/Archives/Public/public-appformats/2008May/0034.html>

 This would make the server more secure by default when opting into Access Control.

The drawback is again that it makes the model more complicated and more prone to bugs.
Related Actions Items:
No related actions
Related emails:
  1. [access-control] Proposal to Close Issue#14 - Opting into methods/headers (from art.barstow@nokia.com on 2008-10-09)
  2. [access-control] Issue list (from annevk@opera.com on 2008-07-08)
  3. ISSUE-14 (opt-into-methods-headers): Opting into methods/headers [Access Control] (from sysbot+tracker@w3.org on 2008-06-23)

Related notes:

2008-10-21 16:04:49: Closed. See: http://lists.w3.org/Archives/Public/public-webapps/2008OctDec/0073.html [Arthur Barstow]

Display change log ATOM feed

Charles McCathieNevile <chaals@opera.com>, Arthur Barstow <art.barstow@nokia.com>, Chairs, Doug Schepers <schepers@w3.org>, Michael(tm) Smith <mike@w3.org>, Staff Contacts
Tracker, originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.231 2009/11/16 15:00:54 dom Exp $