W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [XHR] Authorization header

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 13 Jun 2009 17:37:23 +0200
To: "Alexey Proskuryakov" <ap@webkit.org>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <op.uvgy0lfb64w2qv@annevk-t60>
On Wed, 01 Apr 2009 12:11:35 +0200, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 01 Apr 2009 12:05:08 +0200, Alexey Proskuryakov <ap@webkit.org>  
> wrote:
>> As there seems to be no danger in allowing this header for same origin  
>> requests, I'd suggest removing it from the list of forbidden headers.  
>> As mentioned in this thread, there are valid reasons to control it  
>> explicitly.
>
> Actually, I suppose we can also allow it for cross-origin requests now  
> the server has to explicitly opt-in for each and every header.

Removed from the list.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Saturday, 13 June 2009 15:38:02 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT