- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 26 Jul 2007 13:34:39 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
On Mon, 23 Jul 2007 10:35:27 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > A couple of questions regarding the cross-site XHR proposal: > http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012 > > As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest > cross-site requests should alway have the headers set through > setRequestHeader removed. This includes requests done after a redirect > to a different server. > > Why prevent a user from setting the "Content-Access-Control" header? > That is generally a response header and I'd expect servers to ignore it. If requests with arbitrary headers set can harm a server they are already vulnerable. Is it really wise to restrict this? > What is the purpose of the Referer-Root header? Why can't sites rely on > the Referer header? Isn't Referer disabled by some third-party software now and then? Such as antivirus software? Another reason is probably that Referer-Root contains the exact format needed for the access check. We could use that in the access-control document probably. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 26 July 2007 11:34:49 UTC