ISSUE-14: Opting into methods/headers
opt-into-methods-headers
Opting into methods/headers
- State:
- CLOSED
- Product:
- HISTORICAL: CORS [this spec uses Bugzilla for Bug/Issue tracking http://tinyurl.com/Bugz-CORS]
- Raised by:
- Anne van Kesteren
- Opened on:
- 2008-06-23
- Description:
- [[ This issue was created on 2008-06-06 as Issue #27 in the Web Applications Formats (WAF) WG and is copied in totality to the Web Applications WG's Issues database:
<http://www.w3.org/2005/06/tracker/waf/issues/27> ]]
The current Access Control model allows all methods to be used and all headers (apart from a blacklist and some headers require a preflight request in case of GET).
There is a proposal to only allow methods and headers the server has opted into:
[AC] Helping server admins not making mistakes
<http://lists.w3.org/Archives/Public/public-appformats/2008May/0034.html>
This would make the server more secure by default when opting into Access Control.
The drawback is again that it makes the model more complicated and more prone to bugs. - Related Actions Items:
- No related actions
- Related emails:
- [access-control] Proposal to Close Issue#14 - Opting into methods/headers (from art.barstow@nokia.com on 2008-10-09)
- [access-control] Issue list (from annevk@opera.com on 2008-07-08)
- ISSUE-14 (opt-into-methods-headers): Opting into methods/headers [Access Control] (from sysbot+tracker@w3.org on 2008-06-23)
Related notes:
Closed. See: http://lists.w3.org/Archives/Public/public-webapps/2008OctDec/0073.html
Arthur Barstow, 21 Oct 2008, 16:04:49Display change log