- From: Mark Baker <distobj@acm.org>
- Date: Tue, 19 Feb 2008 09:33:02 -0500
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <distobj@acm.org> wrote: > > On 2/18/08, mike amundsen <mamund@yahoo.com> wrote: > >> > >> John makes a good point. > >> > >> There are a number of 'non-spec' HTTP Headers in use that should not > >> be pre-empted. Some Atom servers support the X-WSSE header[1] is > >> another one. Trying to come up with a list of allowed headers is > >> really the wrong way to go. > >> > >> I suggest someone try to make the opposite case - a header that should > >> not be allowed. > > > > Been there, done that; > > > > http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html > > No, these are completely different cases. What you're referring to is ok > for same-origin requests and is what the same-origin requests still allow. > Non same-origin requests probably require a different policy though. I think it's the same case. The issue in both cases is that the script should always be subordinate to the user agent whose job it is to ensure that the messages it sends are valid HTTP messages that don't misrepresent either the user or its own capabilities. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Tuesday, 19 February 2008 14:33:11 UTC