W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] cross site proposal headers

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 26 Jul 2007 13:34:39 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
Message-ID: <op.tv2k31h564w2qv@annevk-t60.oslo.opera.com>

On Mon, 23 Jul 2007 10:35:27 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> A couple of questions regarding the cross-site XHR proposal:
> http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012
>
> As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest  
> cross-site requests should alway have the headers set through  
> setRequestHeader removed. This includes requests done after a redirect  
> to a different server.
>
> Why prevent a user from setting the "Content-Access-Control" header?  
> That is generally a response header and I'd expect servers to ignore it.

If requests with arbitrary headers set can harm a server they are already  
vulnerable. Is it really wise to restrict this?


> What is the purpose of the Referer-Root header? Why can't sites rely on  
> the Referer header?

Isn't Referer disabled by some third-party software now and then? Such as  
antivirus software? Another reason is probably that Referer-Root contains  
the exact format needed for the access check. We could use that in the  
access-control document probably.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 26 July 2007 11:34:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT