[xhr] cross site proposal headers from Jonas Sicking on 2007-07-23 (public-webapi@w3.org from July 2007)

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jul 2007 01:35:27 -0700
To: Web APIs WG <public-webapi@w3.org>
Message-ID: <46A4684F.2010702@sicking.cc>

Hi All,

A couple of questions regarding the cross-site XHR proposal:
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012

As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest 
cross-site requests should alway have the headers set through 
setRequestHeader removed. This includes requests done after a redirect 
to a different server.

Why prevent a user from setting the "Content-Access-Control" header? 
That is generally a response header and I'd expect servers to ignore it.

What is the purpose of the Referer-Root header? Why can't sites rely on 
the Referer header?

/ Jonas

Received on Monday, 23 July 2007 08:36:31 UTC