On 01.04.2009, at 13:49, Anne van Kesteren wrote: > Consistency with cross-origin requests where they need to be blocked > to prevent distributed dictionary attacks. I actually thought Opera > already blocked this header and the next Firefox release will do so > as well. According to <http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2903 > and my testing, Firefox doesn't block it. As there seems to be no danger in allowing this header for same origin requests, I'd suggest removing it from the list of forbidden headers. As mentioned in this thread, there are valid reasons to control it explicitly. - WBR, Alexey ProskuryakovReceived on Wednesday, 1 April 2009 10:05:44 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:10 GMT