- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 18 Feb 2008 16:07:27 -0800
- To: mike amundsen <mamund@yahoo.com>
- Cc: public-appformats@w3.org
mike amundsen wrote: > I've read some threads that lead to me think that the Mozilla plan is > to block certain HTTP Headers in their implementation of CSR. I can't > find any details on this and would like some clarification. > > What, if any, HTTP Headers are going to be disallowed? Is this for all > HTTP Methods? First off, note that there are no particular headers disallowed when using the access-control spec in general. I.e. any headers normally sent with a request will be sent for cross-site requests that use the access-control spec. We do however limit which headers can be set using the XMLHttpRequest.setRequestHeader method. Looking at the code it currently only allows "accept" and "accept-language". Not actually sure what this very short list was based on. I do think we should at the very least also allow "content-type". If you have any further suggestions for headers that you think would be safe, do let me know. / Jonas
Received on Tuesday, 19 February 2008 00:07:56 UTC