Alan Dix Snip!t: HTTP access control

see all channels for Alan Dix

Snip summary	The Web Applications Working Group within the W3C has pr... Access Control for Cross-Site Requests recommendation, w... This access control standard is supported by Firefox 3.5 ... * Invocations of the XMLHttpRequest API in a cross-s ... * Web F HTTP access control - MDC https://developer.mozilla.org/En/HTTP_Access_Control

Categories

/Channels/techie/JavaScript	[ go to category ]
/Channels/techie/web development	[ go to category ]

For Snip	loading snip actions ...
For Page	loading url actions ...

The Web Applications Working Group within the W3C has proposed the new Access Control for Cross-Site Requests recommendation, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers. Of particular note is that this specification is used within an API container such as XMLHttpRequest as a mitigation mechanism, allowing the crossing of the same-domain restriction in Firefox 3.5 and beyond. The information in this article is of interest to web administrators, server developers and web developers. Another article for server programmers discussing access control from a server perspective (with PHP code snippets) is supplementary reading. On the client, Firefox handles the components of access control, including headers and policy enforcement. The introduction of this new capability, however, does mean that servers have to handle new headers, and send resources back with new headers.

This access control standard is supported by Firefox 3.5 and later, and is used to enable cross-site HTTP requests for:

Invocations of the XMLHttpRequest API in a cross-site manner, as discussed above. This is implemented in Firefox 3.5.
Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so. This is implemented in Firefox 3.5.

HTML	<p>The <a class="external" title="http://www.w3.org/2008/webapps/" rel="external nofollow" href="http://www.w3.org/2008/webapps/" target="_blank">Web Applications Working Group</a> within the <a class="external" title="http://www.w3.org/" rel="external nofollow" href="http://www.w3.org/" target="_blank">W3C</a> has proposed the new <a class="external" title="http://dev.w3.org/2006/waf/access-control/" rel="external nofollow" href="http://dev.w3.org/2006/waf/access-control/" target="_blank">Access Control for Cross-Site Requests</a> recommendation, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers.  Of particular note is that this specification is used within an <em>API container</em> such as <code><a class="internal" rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest">XMLHttpRequest</a></code> as a mitigation mechanism, allowing the crossing of the same-domain restriction in Firefox 3.5 and beyond.  The information in this article is of interest to web administrators, server developers and web developers.  Another article for server programmers discussing <a class="internal" rel="internal" href="https://developer.mozilla.org/En/Server-Side_Access_Control">access control from a server perspective (with PHP code snippets)</a> is supplementary reading.  On the client, Firefox handles the components of access control, including headers and policy enforcement.  The introduction of this new capability, however, does mean that servers have to handle new headers, and send resources back with new headers.</p> <p>This <a title="http://dev.w3.org/2006/waf/access-control/" class="external" rel="external nofollow" href="http://dev.w3.org/2006/waf/access-control/" target="_blank">access control standard</a> is supported by Firefox 3.5 and later, and is used to enable cross-site HTTP requests for:</p> <ul> <li>Invocations of the <a class="internal" rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest"><code>XMLHttpRequest</code></a> API in a cross-site manner, as discussed above.  This is implemented in Firefox 3.5.</li> <li>Web Fonts (for cross-domain font usage in <code>@font-face</code> within CSS), <a title="http://www.webfonts.info/wiki/index.php?title=@font-face_support_in_Firefox" class="external" rel="external nofollow" href="http://www.webfonts.info/wiki/index.php?title=%40font-face_support_in_Firefox" target="_blank">so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so.</a>  This is implemented in Firefox 3.5.</li></ul>

HTML

The <a class="external" title="http://www.w3.org/2008/webapps/" rel="external nofollow" href="http://www.w3.org/2008/webapps/" target="_blank">Web Applications Working Group</a> within the <a class="external" title="http://www.w3.org/" rel="external nofollow" href="http://www.w3.org/" target="_blank">W3C</a> has proposed the new <a class="external" title="http://dev.w3.org/2006/waf/access-control/" rel="external nofollow" href="http://dev.w3.org/2006/waf/access-control/" target="_blank">Access Control for Cross-Site Requests</a> recommendation, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers.  Of particular note is that this specification is used within an API container such as <code><a class="internal" rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest">XMLHttpRequest</a></code> as a mitigation mechanism, allowing the crossing of the same-domain restriction in Firefox 3.5 and beyond.  The information in this article is of interest to web administrators, server developers and web developers.  Another article for server programmers discussing <a class="internal" rel="internal" href="https://developer.mozilla.org/En/Server-Side_Access_Control">access control from a server perspective (with PHP code snippets)</a> is supplementary reading.  On the client, Firefox handles the components of access control, including headers and policy enforcement.  The introduction of this new capability, however, does mean that servers have to handle new headers, and send resources back with new headers. This <a title="http://dev.w3.org/2006/waf/access-control/" class="external" rel="external nofollow" href="http://dev.w3.org/2006/waf/access-control/" target="_blank">access control standard</a> is supported by Firefox 3.5 and later, and is used to enable cross-site HTTP requests for: <ul> <li>Invocations of the <a class="internal" rel="internal" href="https://developer.mozilla.org/en/XMLHttpRequest"><code>XMLHttpRequest</code></a> API in a cross-site manner, as discussed above.  This is implemented in Firefox 3.5.</li> <li>Web Fonts (for cross-domain font usage in <code>@font-face</code> within CSS), <a title="http://www.webfonts.info/wiki/index.php?title=@font-face_support_in_Firefox" class="external" rel="external nofollow" href="http://www.webfonts.info/wiki/index.php?title=%40font-face_support_in_Firefox" target="_blank">so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so.</a>  This is implemented in Firefox 3.5.</li></ul>

Snip!t from collection of Alan Dix

Search Alan Dix Snips

Channels - Alan Dix