- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 11 Apr 2008 16:31:49 +0200
- To: "WAF WG (public)" <public-appformats@w3.org>
So these are the open issues as far as I can tell. I haven't tried addressing any of them yet as I hope we get some more feedback first, but at some point we'll have to move forward. Issue 1 Define a list of request headers that don't trigger a preflight request for a request using the HTTP GET method. We already got some input on this. Once I get the WebApps wiki to work we should maybe list them there so we can brainstorm about it. The list would need to be evaluated by security folks. Issue 2 Define a list of resposne headers that can be read after a cross-site request. The Access Control specification needs to clearly define which response headers are visible after a cross-site request. This information is currently in the XMLHttpRequest Level 2 specification (in the getResponseHeader() section) and should be moved. Issue 3 Jonas Sicking says there's a third issue, but he hasn't elaborated on that yet. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 11 April 2008 14:31:39 UTC