W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [XMLHttpRequest2] response headers for cross-site requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 08 Apr 2008 10:30:42 -0700
Message-ID: <47FBABC2.8040107@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: "Web API WG (public)" <public-webapi@w3.org>

Anne van Kesteren wrote:
> 
> Currently XMLHttpRequest Level 2 has restrictions on getting response 
> headers when doing a cross-site request. I have a feeling these may be 
> an artifact of the slightly older model.
> 
> getAllResponseHeaders() returns the empty string currently.
> 
> getResponseHeader(header) returns null unless header is one of 
> Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, 
> Pragma.
> 
> I think we should be able to change this. (Though we can't expose 
> Set-Cookie and Set-Cookie2 obviously.)
> 
> Any thoughts?
> 
> 
> (I bbc'ed the WAF WG list as there might be some people there interested 
> in this. Please reply to the Web API WG list. I'll be happy when this 
> work ends up in the same group soonish...)

I'd wonder what the purprose of this is? I.e. what's the usecase?

We don't want to allow access to cookie and authentication headers, 
right? Are you sure there are not anything else like it as well that 
authors won't unintentionally expose?

/ Jonas
Received on Tuesday, 8 April 2008 17:33:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 April 2008 17:33:12 GMT