- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 07 Apr 2008 16:21:56 -0700
- To: Anne van Kesteren <annevk@opera.com>
- CC: Elias Sinderson <elias@soe.ucsc.edu>, public-appformats@w3.org
Anne van Kesteren wrote: > > On Mon, 07 Apr 2008 21:18:03 +0200, Elias Sinderson <elias@soe.ucsc.edu> > wrote: >> Anne van Kesteren wrote: >>> I have updated the editor's draft of the Access Control for >>> Cross-site Requests specification to include support for HTTP >>> headers [...] Nothing else has changed because no other changes have >>> been proposed. >> >> Thanks for the update, much appreciated. >> I see no mention of If-* headers and cannot recall there being reason >> provided to omit them (on-list, at least). Certainly being able to >> make conditional requests that would otherwise be allowed as >> non-conditional should be allowed? > > They are allowed. Though even for GET requests they would require a > preflight request first. Currently the only headers that are allowed > without preflight (only GET requests can go without a preflight) are > Accept and Accept-Language, based on earlier feedback from Ian Hickson. > However, maybe we should simply remove those and always require a > preflight request for a request with "custom" headers. Not sure. I think it's useful to have a white-list of headers that should be safe for GET requests without a pre-flight request. I would actually like to expand the list a little. There was a thread on that a while ago, but it seemed to have died without reaching a useful list. / Jonas
Received on Monday, 7 April 2008 23:24:17 UTC