W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [XMLHttpRequest2] response headers for cross-site requests

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Apr 2008 05:06:09 +0000 (UTC)
To: Anne van Kesteren <annevk@opera.com>
Cc: Jonas Sicking <jonas@sicking.cc>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.62.0804100456420.7575@hixie.dreamhostps.com>

On Tue, 8 Apr 2008, Anne van Kesteren wrote:
> 
> On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> > I'd wonder what the purprose of this is? I.e. what's the usecase?
> 
> The main use case for not restricting headers too much is that it gives 
> more consistency with same-origin requests.

That's not a use case, it's a language design decision.

I don't think we should change this without a better reason. There's no 
reason to believe that some servers don't have information in the headers 
that shouldn't be seen by third-parties, and it's the kind of thing that 
would be really easy to miss when securing a page for third-party access.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 April 2008 05:06:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 April 2008 05:06:54 GMT