W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: XHR LC Draft Feedback

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 12 May 2008 17:11:49 +0200
To: "Sunava Dutta" <sunavad@windows.microsoft.com>
Cc: "public-webapi@w3.org" <public-webapi@w3.org>, "Gideon Cohn" <gidco@windows.microsoft.com>, "Ahmed Kamel" <Ahmed.Kamel@microsoft.com>, "Zhenbin Xu" <zhenbinx@windows.microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>
Message-ID: <op.ua1q5ztf64w2qv@annevk-t60.oslo.opera.com>

On Fri, 18 Apr 2008 03:00:46 +0200, Sunava Dutta  
<sunavad@windows.microsoft.com> wrote:
> So essentially summarizing my two requests for your convenience.
>
> 1.       Mentioning for each header the reasons for restriction. (I  
> think security is paramount but for shipped implementations I would  
> hesitate to reduce surface area of attack unless there is a compelling  
> reason. It's much harder to restrict once we ship!)

The restrictions on allowed headers have come forth based on  
implementation feedback from Opera, Apple, and Mozilla. If you have  
feedback that suggests the list of headers should be different, please let  
us know.


> 2.       Protecting Access-Control-Origin header from being set in XHR.
> Cheers and thank you!

I agree that Access-Control-Origin needs to be blocked, but shouldn't we  
add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest  
Level 1 seems slightly odd, though I don't feel strongly either way.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 12 May 2008 15:12:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 12 May 2008 15:12:31 GMT