Re: [XMLHttpRequest2] response headers for cross-site requests

Anne van Kesteren wrote:
> 
> Currently XMLHttpRequest Level 2 has restrictions on getting response 
> headers when doing a cross-site request. I have a feeling these may be 
> an artifact of the slightly older model.
> 
> getAllResponseHeaders() returns the empty string currently.
> 
> getResponseHeader(header) returns null unless header is one of 
> Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, 
> Pragma.
> 
> I think we should be able to change this. (Though we can't expose 
> Set-Cookie and Set-Cookie2 obviously.)
> 
> Any thoughts?
> 
> 
> (I bbc'ed the WAF WG list as there might be some people there interested 
> in this. Please reply to the Web API WG list. I'll be happy when this 
> work ends up in the same group soonish...)

I'd wonder what the purprose of this is? I.e. what's the usecase?

We don't want to allow access to cookie and authentication headers, 
right? Are you sure there are not anything else like it as well that 
authors won't unintentionally expose?

/ Jonas

Received on Tuesday, 8 April 2008 17:33:11 UTC