- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 20 Mar 2006 10:13:21 -0800
- To: Charles McCathieNevile <chaals@opera.com>, Web APIs WG <public-webapi@w3.org>
Charles McCathieNevile wrote: > > On Sat, 18 Mar 2006 03:17:55 +0100, Jonas Sicking <jonas@sicking.cc> wrote: > >> I have an action to ask Hixie why the whatwg spec for XHR restricts >> more headers then our current draft. >> >> He said that the spec is basically still a work in progress and that >> he had gotten many comments on it that were not yet addressed. >> >> His recommendation is that we go ahead with the spec as is and collect >> comments on our own. >> >> The intended reason for the restrictions were simply security. > > As I have said before, I have a strong preference that we do not place > restrictions on specs for security reasons. It makes sense that we have > a security issues section in a spec, noting things that are commonly > done by user agents, but I am not convinced that it makes sense to > prohibit things which have use cases in a trusted environment just so > the Foo spec can be complete and stand-alone in an untrusted > environment. I completely agree. Though I think some of the headers makes sense to always limit since they would otherwise break the HTTP spec, like 'host' for example. / Jonas
Received on Monday, 20 March 2006 18:13:25 UTC