W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: [access-control] Proposal

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 15 Jul 2008 11:15:32 +0200
To: "Ian Hickson" <ian@hixie.ch>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.uebtb6w364w2qv@annevk-t60.oslo.opera.com>

On Tue, 15 Jul 2008 10:20:09 +0200, Ian Hickson <ian@hixie.ch> wrote:
> On Tue, 15 Jul 2008, Anne van Kesteren wrote:
>> We limit the amount of Content-Type header values people can set for the
>> simple cross-site POST request to those you can use with HTML forms
>> today. This list will not become a fixed list until we work out how
>> Access Control for Cross-Site Requests will work together with HTML5
>> forms.
> This will lead to people lying about Content-Types, which is one of the
> big problems with XDR. I don't think this is a good thing. (In  
> particular, it prevents us from sending XML over XHR, which is dumb  
> given the name of
> the object if nothing else! Sending JSON and XML are the two biggest use
> cases of this API.)

The idea is not to prevent it, but to require a preflight request for the  
non-HTML forms Content-Types.

Anne van Kesteren
Received on Tuesday, 15 July 2008 09:16:03 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC