W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 19 Feb 2008 08:48:58 +0100
To: "Mark Baker" <distobj@acm.org>, "mike amundsen" <mamund@yahoo.com>
Cc: "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <op.t6rhbwzw64w2qv@annevk-t60.oslo.opera.com> 

On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <distobj@acm.org> wrote:
> On 2/18/08, mike amundsen <mamund@yahoo.com> wrote:
>>
>> John makes a good point.
>>
>> There are a number of 'non-spec' HTTP Headers in use that should not
>> be pre-empted. Some Atom servers support the X-WSSE header[1] is
>> another one. Trying to come up with a list of allowed headers is
>> really the wrong way to go.
>>
>> I suggest someone try to make the opposite case - a header that should
>> not be allowed.
>
> Been there, done that;
>
> http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html

No, these are completely different cases. What you're referring to is ok  
for same-origin requests and is what the same-origin requests still allow.  
Non same-origin requests probably require a different policy though.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 19 February 2008 07:44:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 07:44:52 GMT