W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: XHR LC Draft Feedback

From: Adam Barth <public-webapi@adambarth.com>
Date: Mon, 12 May 2008 22:42:59 -0700
Message-ID: <7789133a0805122242j7d83a1e7ob1676481a0bd5a33@mail.gmail.com>
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "Sunava Dutta" <sunavad@windows.microsoft.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "Gideon Cohn" <gidco@windows.microsoft.com>, "Ahmed Kamel" <Ahmed.Kamel@microsoft.com>, "Zhenbin Xu" <zhenbinx@windows.microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>

On Mon, May 12, 2008 at 8:11 AM, Anne van Kesteren <annevk@opera.com> wrote:
> > 2.       Protecting Access-Control-Origin header from being set in XHR.
> > Cheers and thank you!
>
>  I agree that Access-Control-Origin needs to be blocked, but shouldn't we
> add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest Level
> 1 seems slightly odd, though I don't feel strongly either way.

One option is to rename the header "Sec-Origin", which is already
blocked in XHR Level 1.

Adam
Received on Tuesday, 13 May 2008 08:08:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 13 May 2008 08:08:46 GMT