W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] cross site proposal headers

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jul 2007 02:55:11 -0700
Message-ID: <46A47AFF.2080408@sicking.cc>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Web APIs WG <public-webapi@w3.org>

Julian Reschke wrote:
> 
> Jonas Sicking wrote:
>>
>> Jonas Sicking wrote:
>>>
>>> Hi All,
>>>
>>> A couple of questions regarding the cross-site XHR proposal:
>>> http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012
>>>
>>> As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest 
>>> cross-site requests should alway have the headers set through 
>>> setRequestHeader removed. This includes requests done after a 
>>> redirect to a different server.
>>
>> Oh, I was going to add to this. I plan on allowing "Accept" and 
>> "Accept-Language" to be set even for cross-site requests. Are there 
>> other headers that people think would be useful and safe to allow?
> 
> Could you point me to the rational for forbidding setting headers in the 
> first place? HTTP headers are an important extension point (see for 
> example APP "Slug"), but disallowing then completely seems to be a very 
> drastic measure.

The only thing documented is the wiki.mozilla.org page linked above. The 
rationale is simply that allowing any random header (except for the 
small black-list in the spec) to be set in a HTTP GET request to any 
server is a big expansion of what browsers currently allow. Remember 
that these servers could be servers behind a firewall or servers where 
the user is logged in or has cookies set.

Rather than questioning why we're forbidding it, we asked, how would we 
know it's safe to allow it? And since we didn't know we opted for the 
safer path.

/ Jonas
Received on Monday, 23 July 2007 09:56:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT