- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 14 Feb 2008 04:58:43 +0100
- To: "Ian Hickson" <ian@hixie.ch>, "John Panzer" <jpanzer@acm.org>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Thu, 14 Feb 2008 00:36:05 +0100, Ian Hickson <ian@hixie.ch> wrote: > On Wed, 13 Feb 2008, John Panzer wrote: >> Some of today's APIs like Flickr put authorization evidence into URL >> query parameters for CSR. It's mildly bad to do this because such >> things are more likely to get logged and sniffed than headers, and you >> can't separate the resource URL from the authorization proof being >> presented to use it, which would be useful in caching. > > Also agreed. That's one of the reasons that XMLHttpRequest + Access > Control together let you set arbitrary extension headers. This is currently not the case for XMLHttpRequest level 2. Based on feedback from Mozilla only Accept and Accept-Language can be set for cross-site requests. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 14 February 2008 03:54:59 UTC