- From: mike amundsen <mamund@yahoo.com>
- Date: Mon, 7 Apr 2008 20:56:25 -0400
- To: public-appformats@w3.org
I offered a proposed list of request headers for the whitelist here: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0282.html Since the recent draft includes explicit information on including Authentication and Cookie support, the end-portion of the above post is out-of-date. MikeA On Mon, Apr 7, 2008 at 7:21 PM, Jonas Sicking <jonas@sicking.cc> wrote: > > > Anne van Kesteren wrote: > > > > > On Mon, 07 Apr 2008 21:18:03 +0200, Elias Sinderson <elias@soe.ucsc.edu> > wrote: > > > > > Anne van Kesteren wrote: > > > > > > > I have updated the editor's draft of the Access Control for Cross-site > Requests specification to include support for HTTP headers [...] Nothing > else has changed because no other changes have been proposed. > > > > > > > > > > Thanks for the update, much appreciated. > > > I see no mention of If-* headers and cannot recall there being reason > provided to omit them (on-list, at least). Certainly being able to make > conditional requests that would otherwise be allowed as non-conditional > should be allowed? > > > > > > > They are allowed. Though even for GET requests they would require a > preflight request first. Currently the only headers that are allowed without > preflight (only GET requests can go without a preflight) are Accept and > Accept-Language, based on earlier feedback from Ian Hickson. However, maybe > we should simply remove those and always require a preflight request for a > request with "custom" headers. Not sure. > > > > I think it's useful to have a white-list of headers that should be safe for > GET requests without a pre-flight request. I would actually like to expand > the list a little. There was a thread on that a while ago, but it seemed to > have died without reaching a useful list. > > / Jonas > > -- mca http://amundsen.com/blog/
Received on Tuesday, 8 April 2008 00:57:00 UTC