- From: John Panzer <jpanzer@acm.org>
- Date: Thu, 14 Feb 2008 10:17:41 -0800
- To: Anne van Kesteren <annevk@opera.com>
- CC: Ian Hickson <ian@hixie.ch>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > On Thu, 14 Feb 2008 06:59:29 +0100, John Panzer <jpanzer@acm.org> wrote: >> Anne van Kesteren wrote: >>> This is currently not the case for XMLHttpRequest level 2. Based on >>> feedback from Mozilla only Accept and Accept-Language can be set for >>> cross-site requests. >> >> (Aside: Surely Content-Type is allowed as well?) > > Currently, no. In that case, AtomPub among other things is right out, as it needs a Content-Type of application/atom;type=entry on POST and PUT. ... > > I agree that it provides a lot of limitations. I believe the primary > concern is not provide new attack vectors. GET requests you can > currently issue don't allow setting of custom headers, for instance. > However, this concern does not apply to POST/PUT, etc. as there you > make an initial request to see if the server is ok with it. > > Jonas? I think it's too restrictive (at least for POST/PUT, where you often need to send additional metadata in headers).
Received on Thursday, 14 February 2008 18:14:15 UTC