- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 08 Apr 2008 10:38:37 -0700
- To: Anne van Kesteren <annevk@opera.com>
- CC: "Web API WG (public)" <public-webapi@w3.org>
Anne van Kesteren wrote: > On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> I'd wonder what the purprose of this is? I.e. what's the usecase? > > The main use case for not restricting headers too much is that it gives > more consistency with same-origin requests. This presumably allows the > same kind of scenarios that nowadays happen same-origin to be done non > same-origin. > >> We don't want to allow access to cookie and authentication headers, >> right? > > Right. > >> Are you sure there are not anything else like it as well that authors >> won't unintentionally expose? > > That's what I'm asking for, I suppose. For what it's worth, I do think that whatever list we come up with should be part of the access-control spec rather than the XHR2 spec. This is very much tied in to the security model which is what the access-control spec describes. / Jonas
Received on Tuesday, 8 April 2008 17:41:25 UTC