Jonas Sicking wrote: > > mike amundsen wrote: >> I've read some threads that lead to me think that the Mozilla plan is >> to block certain HTTP Headers in their implementation of CSR. I can't >> find any details on this and would like some clarification. >> >> What, if any, HTTP Headers are going to be disallowed? Is this for all >> HTTP Methods? > > First off, note that there are no particular headers disallowed when > using the access-control spec in general. I.e. any headers normally > sent with a request will be sent for cross-site requests that use the > access-control spec. > > We do however limit which headers can be set using the > XMLHttpRequest.setRequestHeader method. Looking at the code it > currently only allows "accept" and "accept-language". Not actually > sure what this very short list was based on. I do think we should at > the very least also allow "content-type". If you have any further > suggestions for headers that you think would be safe, do let me know. > > / Jonas > Looking at AtomPub: o Content-Type on POST and PUT is required ("application/atom;type=entry") o If-Match is needed on PUT for optimistic concurrency control o Slug is defined in AtomPub [1] to help suggest URIs Looking elsewhere: o X-Method-Override is used at times to work around intermediaries that can't handle PUT or DELETE. o Cache control headers would be useful to control (specialized scripts may have a better shot at optimizing this than generic browser-only mechanisms). I'd also put in a plea for some type of authorization header. OAuth, AuthSub, and AWS use Authorization: for this purpose, and there's a separate thread on that subject discussing whether that's appropriate. JohnReceived on Tuesday, 19 February 2008 03:16:10 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 03:16:11 GMT