- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 12 May 2008 17:11:49 +0200
- To: "Sunava Dutta" <sunavad@windows.microsoft.com>
- Cc: "public-webapi@w3.org" <public-webapi@w3.org>, "Gideon Cohn" <gidco@windows.microsoft.com>, "Ahmed Kamel" <Ahmed.Kamel@microsoft.com>, "Zhenbin Xu" <zhenbinx@windows.microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>
On Fri, 18 Apr 2008 03:00:46 +0200, Sunava Dutta <sunavad@windows.microsoft.com> wrote: > So essentially summarizing my two requests for your convenience. > > 1. Mentioning for each header the reasons for restriction. (I > think security is paramount but for shipped implementations I would > hesitate to reduce surface area of attack unless there is a compelling > reason. It's much harder to restrict once we ship!) The restrictions on allowed headers have come forth based on implementation feedback from Opera, Apple, and Mozilla. If you have feedback that suggests the list of headers should be different, please let us know. > 2. Protecting Access-Control-Origin header from being set in XHR. > Cheers and thank you! I agree that Access-Control-Origin needs to be blocked, but shouldn't we add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest Level 1 seems slightly odd, though I don't feel strongly either way. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 12 May 2008 15:12:30 UTC