- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 25 Feb 2008 21:55:18 +0100
- To: "Kris Zyp" <kzyp@sitepen.com>, "WAF WG (public)" <public-appformats@w3.org>
On Fri, 15 Feb 2008 17:14:24 +0100, Kris Zyp <kzyp@sitepen.com> wrote: > 1. Why for non same-origin requests, are users limited to only setting > "Accept" and "Accept-Language" HTTP headers. Couldn't we allow a larger > set of safe headers to be included? At least one could define a prefixed > set of allowable headers (like users could set headers "Cross-*"). This > seems an excessive restraint and prevents some very useful functionality. There's a new proposal for this: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html I think it addresses your concerns. > 2. Can non-GET access only be granted as a response to user agent OPTION > requests? Is there a reason that servers can't preemptively include > access control headers (including policy path and max age) in GET > responses to grant future non-GET request? Since most non-GET requests > will probably be preceded by GET requests, it seems like user agents > could more efficiently determine access level if prior responses > explicity granted access. Of course, using the OPTION requests as > outlined in the WD would still be appropriate if prior responses (if > any) had not granted access. No such optimization has been discussion and I'm not sure we should add it. If this indeed becomes a common pattern we can always optimize later. (Premature optimization and all...) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 25 February 2008 20:50:26 UTC