Re: [XMLHttpRequest2] response headers for cross-site requests

Anne van Kesteren schreef:
>
> Currently XMLHttpRequest Level 2 has restrictions on getting response 
> headers when doing a cross-site request. I have a feeling these may be 
> an artifact of the slightly older model.
>
> getAllResponseHeaders() returns the empty string currently.
>
> getResponseHeader(header) returns null unless header is one of 
> Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, 
> Pragma.
>
> I think we should be able to change this. (Though we can't expose 
> Set-Cookie and Set-Cookie2 obviously.) 

I think Location should be included in that whitelist as well. It is not 
only used for 3xx redirection headers, but HTTP specifies that it can 
also be returned after a 201 Created request, to indicate the URL of the 
newly created resource:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.2

Similarly, the Content-Location header should also be on the white-list.

Actually, I think all Content-* headers should be on the white-list, so 
including Content-MD5, Content-Length, Content-Encoding and Content-Range.

~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.

Received on Thursday, 10 April 2008 08:43:33 UTC