W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] cross site proposal headers

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 26 Jul 2007 13:36:09 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
Message-ID: <op.tv2k6jf464w2qv@annevk-t60.oslo.opera.com> 

On Thu, 26 Jul 2007 13:34:39 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
>> Why prevent a user from setting the "Content-Access-Control" header?  
>> That is generally a response header and I'd expect servers to ignore it.
>
> If requests with arbitrary headers set can harm a server they are  
> already vulnerable. Is it really wise to restrict this?

Actually, this is untrue for intranets and such. Hmm.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 26 July 2007 11:36:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT