Re: [XMLHttpRequest2] response headers for cross-site requests

On Tue, 8 Apr 2008, Anne van Kesteren wrote:
> 
> On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> > I'd wonder what the purprose of this is? I.e. what's the usecase?
> 
> The main use case for not restricting headers too much is that it gives 
> more consistency with same-origin requests.

That's not a use case, it's a language design decision.

I don't think we should change this without a better reason. There's no 
reason to believe that some servers don't have information in the headers 
that shouldn't be seen by third-parties, and it's the kind of thing that 
would be really easy to miss when securing a page for third-party access.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 10 April 2008 05:06:53 UTC