On Mon, 22 Jun 2009 08:00:12 +0200, François REMY <fremycompany_pub@yahoo.fr> wrote: > From: "Anne van Kesteren" <annevk@opera.com> >> Where is this header defined? > > In the XHR Cross-Site Scripting module, if I remember. I'm not sure what you mean by that, though as editor of the XMLHttpRequest specifications (and as editor of CORS) I can tell you there is no X-Allow-... header defined in those specifications. >> Making it use the same headers as the CORS protocol but with wildly >> different semantics does not seem like a good idea to me. Also, I'm >> somewhat skeptical that something which negatively affects clients that >> implement it when incorrectly used can be successfully deployed. > > If they can use if for the XHR, why could they not use it for trying to > secure their own documents ? It is not about restricting. As I said earlier CORS is about _lifting_ a restriction (that is a present e.g. with XMLHttpRequest), not imposing one. -- Anne van Kesteren http://annevankesteren.nl/Received on Monday, 22 June 2009 06:09:11 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 18:16:15 GMT