- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 25 Feb 2008 12:53:31 +0100
- To: "Collin Jackson" <collinj@cs.stanford.edu>
- Cc: public-webapi@w3.org, "Adam Barth" <abarth@cs.stanford.edu>
On Wed, 20 Feb 2008 02:51:34 +0100, Collin Jackson <collinj@cs.stanford.edu> wrote: > I just realized that I missed that the header security restrictions on > same-origin requests are different from the restrictions on cross-site > requests. Only the "Accept" and "Accept-Language" headers can be set > for cross-site requests. > > This policy is much more restrictive -- perhaps overly so, since > authors are encouraged to use setRequestHeader to set the (prohibited) > Content-Type header in Section 3.5.3. This is now reverted to an open issue mostly coming out of discussion on the WAF WG list. The latest proposal on how to deal with headers is here: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html I believe that is the way to go. I have added "Sec-" prefixed headers to the blaclist for setRequestHeader(). I will also make this change for XMLHttpRequest Level 1. Another thing you mentioned was adding Cookie (and presumably Cookie2) to this list as Internet Explorer already does this. I think I'll add those too unless there are good reasons not to. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 25 February 2008 11:48:55 UTC