Snip
|
The Web Applications Working Group within the W3C has pr... Access Control for Cross-Site Requests recommendation, w...
|
---|
Categories |
|
---|
For Snip |
loading snip actions ... |
---|---|
For Page |
loading url actions ... |
The Web Applications Working Group within the W3C has proposed the new Access Control for Cross-Site Requests recommendation, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers. Of particular note is that this specification is used within an API container such as XMLHttpRequest
as a mitigation mechanism, allowing the crossing of the same-domain restriction in Firefox 3.5 and beyond. The information in this article is of interest to web administrators, server developers and web developers. Another article for server programmers discussing access control from a server perspective (with PHP code snippets) is supplementary reading. On the client, Firefox handles the components of access control, including headers and policy enforcement. The introduction of this new capability, however, does mean that servers have to handle new headers, and send resources back with new headers.
This access control standard is supported by Firefox 3.5 and later, and is used to enable cross-site HTTP requests for:
XMLHttpRequest
API in a cross-site manner, as discussed above. This is implemented in Firefox 3.5.@font-face
within CSS), so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so. This is implemented in Firefox 3.5.HTML |
<p>The <a class="external" title="http://www.w3.org/2008/webapps/" rel="external nofollow" href="http://www.w3.org/2008/webapps/" target="_blank">Web Applications Working Group</a> within the <a class="external" title="http://www.w3.org/" rel="external nofollow" href="http://www.w3.org/" target="_blank">W3C</a> has proposed the new <a class="external" title="http://dev.w3.org/2006/waf/access-control/" rel="external nofollow" href="http://dev.w3.org/2006/waf/access-control/" target="_blank">Access Control for Cross-Site Requests</a> recommendation, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers. Of particular note is that this specification is used within an <em>API container</em> such as <code><a class="internal" rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest">XMLHttpRequest</a></code> as a mitigation mechanism, allowing the crossing of the same-domain restriction in Firefox 3.5 and beyond. The information in this article is of interest to web administrators, server developers and web developers. Another article for server programmers discussing <a class="internal" rel="internal" href="https://developer.mozilla.org/En/Server-Side_Access_Control">access control from a server perspective (with PHP code snippets)</a> is supplementary reading. On the client, Firefox handles the components of access control, including headers and policy enforcement. The introduction of this new capability, however, does mean that servers have to handle new headers, and send resources back with new headers.</p> <p>This <a title="http://dev.w3.org/2006/waf/access-control/" class="external" rel="external nofollow" href="http://dev.w3.org/2006/waf/access-control/" target="_blank">access control standard</a> is supported by Firefox 3.5 and later, and is used to enable cross-site HTTP requests for:</p> <ul> <li>Invocations of the <a class="internal" rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest"><code>XMLHttpRequest</code></a> API in a cross-site manner, as discussed above. This is implemented in Firefox 3.5.</li> <li>Web Fonts (for cross-domain font usage in <code>@font-face</code> within CSS), <a title="http://www.webfonts.info/wiki/index.php?title=@font-face_support_in_Firefox" class="external" rel="external nofollow" href="http://www.webfonts.info/wiki/index.php?title=%40font-face_support_in_Firefox" target="_blank">so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so.</a> This is implemented in Firefox 3.5.</li></ul> |
---|