W3C home > Mailing lists > Public > public-webapi@w3.org > February 2008

Re: Security-sensitive headers

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 25 Feb 2008 12:53:31 +0100
To: "Collin Jackson" <collinj@cs.stanford.edu>
Cc: public-webapi@w3.org, "Adam Barth" <abarth@cs.stanford.edu>
Message-ID: <op.t62wnhn364w2qv@annevk-t60.oslo.opera.com>

On Wed, 20 Feb 2008 02:51:34 +0100, Collin Jackson  
<collinj@cs.stanford.edu> wrote:
> I just realized that I missed that the header security restrictions on
> same-origin requests are different from the restrictions on cross-site
> requests. Only the "Accept" and "Accept-Language" headers can be set
> for cross-site requests.
>
> This policy is much more restrictive -- perhaps overly so, since
> authors are encouraged to use setRequestHeader to set the (prohibited)
> Content-Type header in Section 3.5.3.

This is now reverted to an open issue mostly coming out of discussion on  
the WAF WG list. The latest proposal on how to deal with headers is here:

   http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html

I believe that is the way to go.


I have added "Sec-" prefixed headers to the blaclist for  
setRequestHeader(). I will also make this change for XMLHttpRequest Level  
1.


Another thing you mentioned was adding Cookie (and presumably Cookie2) to  
this list as Internet Explorer already does this. I think I'll add those  
too unless there are good reasons not to.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 25 February 2008 11:48:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 25 February 2008 11:48:57 GMT