W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] cross site proposal headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 23 Jul 2007 11:12:55 +0200
Message-ID: <46A47117.4050605@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>
CC: Web APIs WG <public-webapi@w3.org>

Jonas Sicking wrote:
> 
> Jonas Sicking wrote:
>>
>> Hi All,
>>
>> A couple of questions regarding the cross-site XHR proposal:
>> http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012
>>
>> As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest 
>> cross-site requests should alway have the headers set through 
>> setRequestHeader removed. This includes requests done after a redirect 
>> to a different server.
> 
> Oh, I was going to add to this. I plan on allowing "Accept" and 
> "Accept-Language" to be set even for cross-site requests. Are there 
> other headers that people think would be useful and safe to allow?

Could you point me to the rational for forbidding setting headers in the 
first place? HTTP headers are an important extension point (see for 
example APP "Slug"), but disallowing then completely seems to be a very 
drastic measure.

Best regards, Julian
Received on Monday, 23 July 2007 09:13:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT