So these are the open issues as far as I can tell. I haven't tried addressing any of them yet as I hope we get some more feedback first, but at some point we'll have to move forward. Issue 1 Define a list of request headers that don't trigger a preflight request for a request using the HTTP GET method. We already got some input on this. Once I get the WebApps wiki to work we should maybe list them there so we can brainstorm about it. The list would need to be evaluated by security folks. Issue 2 Define a list of resposne headers that can be read after a cross-site request. The Access Control specification needs to clearly define which response headers are visible after a cross-site request. This information is currently in the XMLHttpRequest Level 2 specification (in the getResponseHeader() section) and should be moved. Issue 3 Jonas Sicking says there's a third issue, but he hasn't elaborated on that yet. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Friday, 11 April 2008 14:31:39 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 April 2008 14:31:40 GMT