- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 26 Jul 2007 16:45:06 -0700
- To: Anne van Kesteren <annevk@opera.com>
- CC: Web APIs WG <public-webapi@w3.org>
Anne van Kesteren wrote: > > On Thu, 26 Jul 2007 13:34:39 +0200, Anne van Kesteren <annevk@opera.com> > wrote: >>> Why prevent a user from setting the "Content-Access-Control" header? >>> That is generally a response header and I'd expect servers to ignore it. >> >> If requests with arbitrary headers set can harm a server they are >> already vulnerable. Is it really wise to restrict this? > > Actually, this is untrue for intranets and such. Hmm. Intranets are no problem since we should forbid setRequestHeader for cross-site requests anyway. / Jonas
Received on Thursday, 26 July 2007 23:45:54 UTC