W3C home > Mailing lists > Public > public-appformats@w3.org > April 2008

Re: Update to Access Control for Cross-site Requests

From: Kris Zyp <kris@sitepen.com>
Date: Mon, 7 Apr 2008 18:05:08 -0600
Message-ID: <2ee501c8990c$3612fb10$0500a8c0@kris>
To: "Jonas Sicking" <jonas@sicking.cc>, "Anne van Kesteren" <annevk@opera.com>
Cc: "Elias Sinderson" <elias@soe.ucsc.edu>, <public-appformats@w3.org> 

>> However, maybe we should simply remove those and always require a 
>> preflight request for a request with "custom" headers. Not sure.
>
> I think it's useful to have a white-list of headers that should be safe 
> for GET requests without a pre-flight request. I would actually like to 
> expand the list a little. There was a thread on that a while ago, but it 
> seemed to have died without reaching a useful list.

I agree. Could we expand the whitelist of headers that do not require a 
preflight check (in GETs):
Accept
Accept-Language
If-Modified-Since
From
Range


Kris
Received on Tuesday, 8 April 2008 00:08:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 April 2008 00:08:04 GMT