- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 11 Apr 2006 03:48:36 +0000 (UTC)
- To: Darin Fisher <darin@meer.net>
- Cc: public-webapi@w3.org
On Mon, 10 Apr 2006, Darin Fisher wrote: > > > > If the open() method is called with a URI that points to a third-party > > domain, then: > > > > setRequestHeader() must be prevented from setting the Domain and > > Referer headers. > > But, it can set "Cookie" and "Authorization" headers? That should be > okay. Right; the normal restrictions still apply (it can add cookies but not remove them, it can set a username/password but not the Authorization header, or whatever the rules are -- the proposal only mentions things that need to change). > I assume that IP address literals are also supported (w/ "[]" escaping > for IPv6 address literals). Good point, the spec should make sure it covers IP addresses as well as host names (probably by treating them identically). > > Access check: If there are response headers with the name > > "Access-Control", then they must have their values parsed as the data > > part of an <?access-control?> PI. > > Are there any cases where the allowed contents of the PI would not be > allowed as a HTTP header value? Only newlines aren't allowed in HTTP header values, so I don't think so. > Can you clarify what happens when an "Access-Control" header does not > agree with an <?access-control?> PI? Or, suppose there are multiple > "Access-Control" headers. Same as if there are multiple <?access-control?> PIs. The proposal basically makes all the Access-Control headers and <?access-control?> PIs be treated identically, and then defers to the (yet-to-be-written) spec for <?access-control?> on how they are handled. > It seems like it should be okay for getAllResponseHeaders() to return > the subset of response headers that getResponseHeader() may see. I considered that, but couldn't see the use case. I don't mind saying that's what it does, so long as we are clear that it can't give you any information that getResponseHeader() can't give you. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 11 April 2006 03:48:49 UTC