W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

[access-control] XDomainRequest

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 08 Jul 2008 21:50:46 +0200
To: "Sunava Dutta" <sunavad@windows.microsoft.com>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.udzn2wfc64w2qv@annevk-t60.oslo.opera.com>

Hi,

In theory XDomainRequest can now use a profiled version of the Access  
Control for Cross-Site Requests specification as long as the credentials  
flag is false, it does not allow setting any headers other than those in  
the whitelist, and the HTTP method is GET or POST. I believe this is what  
XDomainRequest is limited to today. Servers would only need to use the  
Access-Control-Origin header (all headers are ignored anyway by the client  
if you keep within the outlined limits) and XDomainRequest clients would  
only need to check that header.

Let me know if there are any questions regarding this.

Kind regards,


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 8 July 2008 19:51:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT