Well, how is this handled today for XmlHttpRequest? I'm not advocating for *removing* HTTP Header restrictions from XmlHttpRequest WRT CSR. I am however unable to see of CSR makes it important to *add* to any existing HTTP Header restrictions for CSR-related XmlHttpRequest. We can all come up with potentially harmful uses of XmlHttpRequests against a server. Web servers currently have a lot more to fear than scripting of XmlHttpRequest requests [grin]! I can see where adding CSR support to XmlHttpRequest can possible make it *easier* to create harmful requests. I can see where adding CSR support can increase the *number* of these harmful requests. But I haven't found an example of how CSR can create any *new* harmful requests. MikeA On Feb 18, 2008 7:11 PM, Jonas Sicking <jonas@sicking.cc> wrote: > mike amundsen wrote: > > I agree w/ Kris: > > > > Limiting HTTP headers is a real problem. I see no reason for this. > > Certainly not for security reasons. > > How can you know that it is safe to send any header to any server? Note > that no access checks are done before sending GET requests, so allowing > any header there seems like it has great potential to have undesired > effects on servers. > > / Jonas > > -- mca http://amundsen.com/blog/Received on Tuesday, 19 February 2008 15:32:06 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 15:32:07 GMT