- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 10 Apr 2008 05:06:09 +0000 (UTC)
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, "Web API WG (public)" <public-webapi@w3.org>
On Tue, 8 Apr 2008, Anne van Kesteren wrote: > > On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > > I'd wonder what the purprose of this is? I.e. what's the usecase? > > The main use case for not restricting headers too much is that it gives > more consistency with same-origin requests. That's not a use case, it's a language design decision. I don't think we should change this without a better reason. There's no reason to believe that some servers don't have information in the headers that shouldn't be seen by third-parties, and it's the kind of thing that would be really easy to miss when securing a page for third-party access. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 April 2008 05:06:53 UTC