Provides a mechanism to safely allow cross site XHR calls to a white listed grouping of domains while keeping private information on web sites safeguarded at the same time.

• Test that we handle redirects to non-same origin hosts properly
• Test that we handle redirects to same origin hosts without change (i.e. behavior should not be affected)
• Test that internal resources that exist and do not exist look the same until access is granted to the requestor
• Test that HTTP header data is not exposed (HOW?)
• Ensure that cookies are not set for the request (HOW?)
• Test that malformed Access-Control-Allow-Origin flags are thrown out
• Test that the wildcards work
• Test delta seconds timeout on max-age header
• Verify each algorithm outlined in the Processing model
  • 5.1 Cross-Site Access Request
  • 5.1.1 Cross-site access source origin
  • 5.1.2 Cross-Site Access Request Header Lists
  • 5.1.3 Simple Cross Site Access Request
  • 5.1.4 Cross site Access Request with Preflight
  • 5.1.5 Ensure these redirect policies are followed for generic XS access requests
  • Ensure the access control check is properly followed (tests that error out at each stage) Section 5.2

Things we'd like to get to testing

Can we get the security team to help with some of this part?

• All the items in the "Requirements" section are nice to haves that really sound pretty crucial to release this as a secure feature of the product.

Patch landed, was reopened.

It's going to take probably the better part of a week to get these implemented, unless we come up with a pretty simple way to fake the XS scripting stuff in mochitest. Todo: Look for example tests

• bug 389508
• bug 408098
• Dev Docs
• Spec