W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [XMLHttpRequest2] response headers for cross-site requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 08 Apr 2008 10:38:37 -0700
Message-ID: <47FBAD9D.40700@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: "Web API WG (public)" <public-webapi@w3.org>

Anne van Kesteren wrote:
> On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> I'd wonder what the purprose of this is? I.e. what's the usecase?
> 
> The main use case for not restricting headers too much is that it gives 
> more consistency with same-origin requests. This presumably allows the 
> same kind of scenarios that nowadays happen same-origin to be done non 
> same-origin.
> 
>> We don't want to allow access to cookie and authentication headers, 
>> right?
> 
> Right.
> 
>> Are you sure there are not anything else like it as well that authors 
>> won't unintentionally expose?
> 
> That's what I'm asking for, I suppose.

For what it's worth, I do think that whatever list we come up with 
should be part of the access-control spec rather than the XHR2 spec. 
This is very much tied in to the security model which is what the 
access-control spec describes.

/ Jonas
Received on Tuesday, 8 April 2008 17:41:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 April 2008 17:41:25 GMT