remove support for deny clauses in Access Control

RESOLVED FIXED

Status

()

Core
DOM
P1
normal
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: annevk, Assigned: sicking)

Tracking

unspecified
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
Support for the deny="" pseudo-attribute on <?access-control?> and "deny" ruleset on the Access-Control HTTP header should be removed from the implementation as it has been removed from the specification on request of Jonas Sicking.

They are not necessary given that the server can be easily configured to reject cross-site requests and there's an exclude clause to denote exceptions to the allow clause already.
Blocks: 408098
(Reporter)

Updated

10 years ago
Flags: blocking1.9?

Updated

10 years ago
Assignee: nobody → jonas
Flags: blocking1.9? → blocking1.9+
Priority: -- → P1
We're not doing cross-site XHR for this release due to security concerns :(
Flags: blocking1.9+ → blocking1.9-
This was done as part of bug 389508
Blocks: 389508
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
No longer blocks: 389508
Depends on: 389508
You need to log in before you can comment on or make changes to this bug.