- From: mike amundsen <mamund@yahoo.com>
- Date: Tue, 19 Feb 2008 10:21:36 -0500
- To: "Mark Baker" <distobj@acm.org>
- Cc: "Anne van Kesteren" <annevk@opera.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Mark: Thanks for sharing the thread. The approach makes sense to me. What was the final result? MikeA On Feb 19, 2008 9:33 AM, Mark Baker <distobj@acm.org> wrote: > On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote: > > On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <distobj@acm.org> wrote: > > > On 2/18/08, mike amundsen <mamund@yahoo.com> wrote: > > >> > > >> John makes a good point. > > >> > > >> There are a number of 'non-spec' HTTP Headers in use that should not > > >> be pre-empted. Some Atom servers support the X-WSSE header[1] is > > >> another one. Trying to come up with a list of allowed headers is > > >> really the wrong way to go. > > >> > > >> I suggest someone try to make the opposite case - a header that should > > >> not be allowed. > > > > > > Been there, done that; > > > > > > http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html > > > > No, these are completely different cases. What you're referring to is ok > > for same-origin requests and is what the same-origin requests still allow. > > Non same-origin requests probably require a different policy though. > > I think it's the same case. The issue in both cases is that the > script should always be subordinate to the user agent whose job it is > to ensure that the messages it sends are valid HTTP messages that > don't misrepresent either the user or its own capabilities. > > Mark. > -- > Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca > Coactus; Web-inspired integration strategies http://www.coactus.com > -- mca http://amundsen.com/blog/
Received on Tuesday, 19 February 2008 15:21:49 UTC