W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [XMLHttpRequest2] response headers for cross-site requests

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 08 Apr 2008 19:36:34 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.t9ay68c964w2qv@annevk-t60.oslo.opera.com>

On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> I'd wonder what the purprose of this is? I.e. what's the usecase?

The main use case for not restricting headers too much is that it gives  
more consistency with same-origin requests. This presumably allows the  
same kind of scenarios that nowadays happen same-origin to be done non  
same-origin.


> We don't want to allow access to cookie and authentication headers,  
> right?

Right.


> Are you sure there are not anything else like it as well that authors  
> won't unintentionally expose?

That's what I'm asking for, I suppose.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 8 April 2008 17:36:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 April 2008 17:36:49 GMT