W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: [XMLHttpRequest2] response headers for cross-site requests

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Thu, 10 Apr 2008 10:42:05 +0200
Message-ID: <47FDD2DD.2040108@students.cs.uu.nl>
To: Anne van Kesteren <annevk@opera.com>
CC: "Web API WG (public)" <public-webapi@w3.org>
Anne van Kesteren schreef:
>
> Currently XMLHttpRequest Level 2 has restrictions on getting response 
> headers when doing a cross-site request. I have a feeling these may be 
> an artifact of the slightly older model.
>
> getAllResponseHeaders() returns the empty string currently.
>
> getResponseHeader(header) returns null unless header is one of 
> Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, 
> Pragma.
>
> I think we should be able to change this. (Though we can't expose 
> Set-Cookie and Set-Cookie2 obviously.) 

I think Location should be included in that whitelist as well. It is not 
only used for 3xx redirection headers, but HTTP specifies that it can 
also be returned after a 201 Created request, to indicate the URL of the 
newly created resource:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.2

Similarly, the Content-Location header should also be on the white-list.

Actually, I think all Content-* headers should be on the white-list, so 
including Content-MD5, Content-Length, Content-Encoding and Content-Range.

~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.




Received on Thursday, 10 April 2008 08:43:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 April 2008 08:43:35 GMT