Re: call for reviewers: XMLHttpRequest Last Call from sird@rckc.at on 2009-12-08 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Tue, 8 Dec 2009 18:46:43 +0800
To: Anne van Kesteren <annevk@opera.com>
Cc: Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-ID: <8ba534860912080246t4e399b0dj488e4df509a1af33@mail.gmail.com>

Oh, I would swear it was different before. =S.. my fail (maybe cache?)

So, I'm really sorry, it do states Set-Cookie/2 should be ignored.

@Anne, what about the - alias for _ on Apache on request headers?

-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Dec 8, 2009 at 6:37 PM, Anne van Kesteren <annevk@opera.com> wrote:

> On Sun, 06 Dec 2009 17:38:05 +0100, Adam Barth <w3c@adambarth.com> wrote:
>
>> On Sun, Dec 6, 2009 at 8:19 AM, sird@rckc.at <sird@rckc.at> wrote:
>>
>>> 3.- Do you really want to return to the user ALL http headers with
>>> getAllResponseHeaders? think on Set-Cookie + httpOnly
>>>
>>
>> I believe most (all?) implementations block returning Set-Cookie
>> headers with HttpOnly cookies.  If the spec doesn't say this, it's out
>> of step with common practice.
>>
>
> RTFS? ;-)
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>

Received on Tuesday, 8 December 2009 10:47:43 UTC