- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 19 Feb 2008 08:48:58 +0100
- To: "Mark Baker" <distobj@acm.org>, "mike amundsen" <mamund@yahoo.com>
- Cc: "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <distobj@acm.org> wrote: > On 2/18/08, mike amundsen <mamund@yahoo.com> wrote: >> >> John makes a good point. >> >> There are a number of 'non-spec' HTTP Headers in use that should not >> be pre-empted. Some Atom servers support the X-WSSE header[1] is >> another one. Trying to come up with a list of allowed headers is >> really the wrong way to go. >> >> I suggest someone try to make the opposite case - a header that should >> not be allowed. > > Been there, done that; > > http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html No, these are completely different cases. What you're referring to is ok for same-origin requests and is what the same-origin requests still allow. Non same-origin requests probably require a different policy though. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 19 February 2008 07:44:50 UTC