W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 19 Apr 2010 16:04:48 +0900
To: "Jonas Sicking" <jonas@sicking.cc>, "Tyler Close" <tyler.close@gmail.com>
Cc: "Arthur Barstow" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.vbedyaw664w2qv@annevk-t60>
On Mon, 19 Apr 2010 05:29:12 +0900, Tyler Close <tyler.close@gmail.com>  
wrote:
> On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> However I do like the idea of having a header which enumerates which
>> additional headers can be exposed. That seems like it'll add similar
>> value to exposing things by default, but with much less risk.
>>
>> Didn't mnot suggest something like that as part of his HTTP review?
>
> If Mozilla agrees to implement it, I'd like UMP to specify a new
> header named "U" whose value is either "*" or a list of allowed
> response headers. A response with this header is opting out of Same
> Origin Policy protection for both the response entity and the listed
> response headers. The response is not required to also include the
> Access-Control-Allow-Origin header, but can for compatibility with
> current implementations.
>
> This solution would get two birds with one stone, allowing use to
> deprecate the verbose and misleading header name that mnot also
> complained about.

You'd still be restricted in terms of the request headers you can use. For  
CORS I plan on using Access-Control-Expose-Headers for consistency. If all  
implementors agree I would be happy to shorten the header names, but at  
this point that seems unlikely.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 19 April 2010 07:05:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT