- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Mon, 12 Jun 2006 12:12:26 +0200
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Am 12.06.2006 um 11:42 schrieb Anne van Kesteren:
>
> On Mon, 12 Jun 2006 11:12:30 +0200, Stefan Eissing
> <stefan.eissing@greenbytes.de> wrote:
>> The last part is the key, of course. I am assuming that methods
>> against the originating server of a page are always allowed and
>> that we are talking about securing requests to other servers and
>> methods used in them. Please correct me, if I got this wrong.
>
> You got this wrong. The discussion here is about (the first version
> of) XMLHttpRequest which will only allow same-origin requests.
Thanks for the correction. Well, in that case I agree with Roys
comment that instead of restricting methods it is superior to
restrict the (manipulation of) information send to the server. So,
basically a whitelist of settable/sent headers with some name prefix
("x-"?) left open for individual applications/experimentation.
//Stefan
Received on Monday, 12 June 2006 10:12:39 UTC