W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 11 Apr 2006 03:48:36 +0000 (UTC)
To: Darin Fisher <darin@meer.net>
Cc: public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0604110343430.21459@dhalsim.dreamhost.com>

On Mon, 10 Apr 2006, Darin Fisher wrote:
> >
> > If the open() method is called with a URI that points to a third-party 
> > domain, then:
> > 
> >    setRequestHeader() must be prevented from setting the Domain and 
> > Referer headers.
> 
> But, it can set "Cookie" and "Authorization" headers?  That should be 
> okay.

Right; the normal restrictions still apply (it can add cookies but not 
remove them, it can set a username/password but not the Authorization 
header, or whatever the rules are -- the proposal only mentions things 
that need to change).


> I assume that IP address literals are also supported (w/ "[]" escaping 
> for IPv6 address literals).

Good point, the spec should make sure it covers IP addresses as well as 
host names (probably by treating them identically).

> >    Access check: If there are response headers with the name 
> > "Access-Control", then they must have their values parsed as the data 
> > part of an <?access-control?> PI.
> 
> Are there any cases where the allowed contents of the PI would not be 
> allowed as a HTTP header value?

Only newlines aren't allowed in HTTP header values, so I don't think so.


> Can you clarify what happens when an "Access-Control" header does not 
> agree with an <?access-control?> PI?  Or, suppose there are multiple 
> "Access-Control" headers.

Same as if there are multiple <?access-control?> PIs. The proposal 
basically makes all the Access-Control headers and <?access-control?> PIs 
be treated identically, and then defers to the (yet-to-be-written) spec 
for <?access-control?> on how they are handled.


> It seems like it should be okay for getAllResponseHeaders() to return 
> the subset of response headers that getResponseHeader() may see.

I considered that, but couldn't see the use case. I don't mind saying 
that's what it does, so long as we are clear that it can't give you any 
information that getResponseHeader() can't give you.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 11 April 2006 03:48:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT