- From: Adam Barth <public-webapi@adambarth.com>
- Date: Mon, 12 May 2008 22:42:59 -0700
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "Sunava Dutta" <sunavad@windows.microsoft.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "Gideon Cohn" <gidco@windows.microsoft.com>, "Ahmed Kamel" <Ahmed.Kamel@microsoft.com>, "Zhenbin Xu" <zhenbinx@windows.microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>
On Mon, May 12, 2008 at 8:11 AM, Anne van Kesteren <annevk@opera.com> wrote: > > 2. Protecting Access-Control-Origin header from being set in XHR. > > Cheers and thank you! > > I agree that Access-Control-Origin needs to be blocked, but shouldn't we > add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest Level > 1 seems slightly odd, though I don't feel strongly either way. One option is to rename the header "Sec-Origin", which is already blocked in XHR Level 1. Adam
Received on Tuesday, 13 May 2008 08:08:45 UTC