W3C Working Draft for Access Control for Cross-Site Requests Published

"This document defines a mechanism to enable client-side cross-site
   requests. Specifications that want to enable cross-site requests in an API
   they define can use the algorithms defined by this specification. If such
   an API is used on http://example.org resources, a resource on
   http://hello-world.example can opt in using the mechanism
   described by this specification (e.g., specifying
   Access-Control-Allow-Origin: http://example.org as response
   header), which would allow that resource to be fetched cross-site from
http://example.org."

Table of Contents

• 1. Introduction
     
• 2. Conformance Criteria
     
  • 2.1 Terminology
• 3. Security Considerations
     
• 4. Syntax
     
  • 4.1 Access-Control-Allow-Origin HTTP Response Header
        
  • 4.2 Access-Control-Max-Age HTTP Response Header
        
  • 4.3 Access-Control-Allow-Credentials HTTP Response Header
        
  • 4.4 Access-Control-Allow-Methods HTTP Response Header
  • 4.5 Access-Control-Allow-Headers HTTP Response Header
        
  • 4.6 Origin HTTP Request Header
        
  • 4.7 Access-Control-Request-Method HTTP Request Header
        
  • 4.8  Access-Control-Request-Headers HTTP Request Header
• 5. Processing Model
     
  • 5.1 Cross-Site Access Request
          
    • 5.1.1 Cross-Site Access source origin
            
    • 5.1.2 Cross-Site Access Request Header Lists
            
    • 5.1.3 Simple Cross-Site Access Request
            
    • 5.1.4 Cross-Site
      Access Request with Preflight
            
    • 5.1.5 Generic
      Cross-Site Access Request Algorithms
  • 5.2 Access Control
    Check
    "

Read More: http://www.w3.org/TR/2008/WD-access-control-20080912/