W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

[xhr] cross site proposal headers

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jul 2007 01:35:27 -0700
Message-ID: <46A4684F.2010702@sicking.cc>
To: Web APIs WG <public-webapi@w3.org>

Hi All,

A couple of questions regarding the cross-site XHR proposal:
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012

As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest 
cross-site requests should alway have the headers set through 
setRequestHeader removed. This includes requests done after a redirect 
to a different server.

Why prevent a user from setting the "Content-Access-Control" header? 
That is generally a response header and I'd expect servers to ignore it.

What is the purpose of the Referer-Root header? Why can't sites rely on 
the Referer header?

/ Jonas
Received on Monday, 23 July 2007 08:36:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT