- From: mike amundsen <mca@amundsen.com>
- Date: Tue, 26 Feb 2008 04:43:43 -0500
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "John Panzer" <jpanzer@acm.org>, "WAF WG (public)" <public-appformats@w3.org>
I propose the following HTTP Headers be added to the white list: Accept Accept-Language Accept-Ranges Age Allow Cache-Control Content-Disposition Content-Language Content-Location Content-MD5 Content-Range Content-Type ETag Expect Expires From If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Last-Modified Location Max-Forwards Pragma Range Refresh Retry-After Server Transfer-Encoding User-Agent Vary Warning Also, in reading the proposal, I'm not clear on how black-listed headers will be treated. For example, the XMLHttpRequest spec marks the Content-Length header as restricted. I assume you mean restricted from scripting authors and not removed from the collection of headers passed between client and server. MikeA On Mon, Feb 25, 2008 at 3:51 PM, Anne van Kesteren <annevk@opera.com> wrote: > > On Fri, 22 Feb 2008 08:21:26 +0100, John Panzer <jpanzer@acm.org> wrote: > > Looks good to me. (Is there a way for a server to distinguish a > > preflight for a GET vs. a preflight for a POST? Probably fine either > > way.) > > No. At some point we had a request header that indicated for which method > the preflight request was but we dropped that along with whitelisting > specific methods. I don't think it's necessary, but please do tell if you > come up with something. > > > > > -- > Anne van Kesteren > <http://annevankesteren.nl/> > <http://www.opera.com/> > > -- mca http://amundsen.com/blog/
Received on Tuesday, 26 February 2008 09:43:54 UTC