RE: XHR LC Draft Feedback

Comments inline. Thanks,

> -----Original Message-----
> From: Anne van Kesteren [mailto:annevk@opera.com]
> Sent: Monday, May 12, 2008 8:12 AM
> To: Sunava Dutta
> Cc: public-webapi@w3.org; Gideon Cohn; Ahmed Kamel; Zhenbin Xu; Doug
> Stamper
> Subject: Re: XHR LC Draft Feedback
>
> On Fri, 18 Apr 2008 03:00:46 +0200, Sunava Dutta
> <sunavad@windows.microsoft.com> wrote:
> > So essentially summarizing my two requests for your convenience.
> >
> > 1.       Mentioning for each header the reasons for restriction. (I
> > think security is paramount but for shipped implementations I would
> > hesitate to reduce surface area of attack unless there is a compelling
> > reason. It's much harder to restrict once we ship!)
>
> The restrictions on allowed headers have come forth based on
> implementation feedback from Opera, Apple, and Mozilla. If you have
> feedback that suggests the list of headers should be different, please let
> us know.
[Sunava Dutta] Ah, sorry I'm not being clear. What I'm asking for is the reasons for why the headers are blocked (based on implementation feedback, but what is the feedback per blocked header?) to be called out for each header in the spec. Otherwise it seems arbitrary.
>
>
> > 2.       Protecting Access-Control-Origin header from being set in XHR.
> > Cheers and thank you!
>
> I agree that Access-Control-Origin needs to be blocked, but shouldn't we
> add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest
> Level 1 seems slightly odd, though I don't feel strongly either way.
[Sunava Dutta] Having it in XHR L2 is OK with me.
>
>
> --
> Anne van Kesteren
> <http://annevankesteren.nl/>
> <http://www.opera.com/>

Received on Monday, 12 May 2008 20:28:44 UTC