mike amundsen wrote: > I've read some threads that lead to me think that the Mozilla plan is > to block certain HTTP Headers in their implementation of CSR. I can't > find any details on this and would like some clarification. > > What, if any, HTTP Headers are going to be disallowed? Is this for all > HTTP Methods? First off, note that there are no particular headers disallowed when using the access-control spec in general. I.e. any headers normally sent with a request will be sent for cross-site requests that use the access-control spec. We do however limit which headers can be set using the XMLHttpRequest.setRequestHeader method. Looking at the code it currently only allows "accept" and "accept-language". Not actually sure what this very short list was based on. I do think we should at the very least also allow "content-type". If you have any further suggestions for headers that you think would be safe, do let me know. / JonasReceived on Tuesday, 19 February 2008 00:07:56 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 00:07:58 GMT