- From: Alexey Proskuryakov <ap@webkit.org>
- Date: Wed, 1 Apr 2009 14:05:08 +0400
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-webapps <public-webapps@w3.org>
On 01.04.2009, at 13:49, Anne van Kesteren wrote: > Consistency with cross-origin requests where they need to be blocked > to prevent distributed dictionary attacks. I actually thought Opera > already blocked this header and the next Firefox release will do so > as well. According to <http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2903 > and my testing, Firefox doesn't block it. As there seems to be no danger in allowing this header for same origin requests, I'd suggest removing it from the list of forbidden headers. As mentioned in this thread, there are valid reasons to control it explicitly. - WBR, Alexey Proskuryakov
Received on Wednesday, 1 April 2009 10:05:44 UTC