- From: Tyler Close <tyler.close@gmail.com>
- Date: Sun, 18 Apr 2010 13:29:12 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking <jonas@sicking.cc> wrote: > However I do like the idea of having a header which enumerates which > additional headers can be exposed. That seems like it'll add similar > value to exposing things by default, but with much less risk. > > Didn't mnot suggest something like that as part of his HTTP review? If Mozilla agrees to implement it, I'd like UMP to specify a new header named "U" whose value is either "*" or a list of allowed response headers. A response with this header is opting out of Same Origin Policy protection for both the response entity and the listed response headers. The response is not required to also include the Access-Control-Allow-Origin header, but can for compatibility with current implementations. This solution would get two birds with one stone, allowing use to deprecate the verbose and misleading header name that mnot also complained about. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Sunday, 18 April 2010 20:29:40 UTC