W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] cross site proposal headers

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 26 Jul 2007 16:45:06 -0700
Message-ID: <46A93202.8020100@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: Web APIs WG <public-webapi@w3.org>

Anne van Kesteren wrote:
> 
> On Thu, 26 Jul 2007 13:34:39 +0200, Anne van Kesteren <annevk@opera.com> 
> wrote:
>>> Why prevent a user from setting the "Content-Access-Control" header? 
>>> That is generally a response header and I'd expect servers to ignore it.
>>
>> If requests with arbitrary headers set can harm a server they are 
>> already vulnerable. Is it really wise to restrict this?
> 
> Actually, this is untrue for intranets and such. Hmm.

Intranets are no problem since we should forbid setRequestHeader for 
cross-site requests anyway.

/ Jonas
Received on Thursday, 26 July 2007 23:45:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT