W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Henri Sivonen <hsivonen@iki.fi>
Date: Tue, 19 Feb 2008 22:02:28 +0200
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-Id: <DE1FFC23-F042-467E-AE2C-313BCE52295F@iki.fi>
To: Jon Ferraiolo <jferrai@us.ibm.com> 

On Feb 19, 2008, at 17:11, Jon Ferraiolo wrote:

> If you are going to consider requiring a preflight request where the  
> server has to explicitly opt-in to custom headers before custom  
> headers will be sent, how about requiring a preflight request where  
> the server has to explicitly opt-in to cookies before cookies will  
> be sent? That would help address the accountability issue that has  
> been discussed recently.


Why should anyone need to be held accountable for performing a GET  
that could already be triggered with e.g. <img src='...'>? If a  
request causes an action that needs blame, surely such an action  
wouldn't be safe and idempotent.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Tuesday, 19 February 2008 20:02:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 20:02:53 GMT