- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 16 May 2008 11:01:38 +0200
- To: "Ian Hickson" <ian@hixie.ch>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
- Cc: public-webapi@w3.org
On Wed, 14 May 2008 22:45:32 +0200, Ian Hickson <ian@hixie.ch> wrote: > On Wed, 14 May 2008, Bjoern Hoehrmann wrote: >> >> Note that there are more headers on the list than the ones listed above, >> specifically Proxy-*, Sec-*, and it is unclear how to handle, say, the >> Cookie and Authorization header. > > I think I would lump the Cookie, Cookie2, and Authorization headers in > the > same bucket as, e.g., Host -- these are headers that the UA should be > setting and not headers that should be under author control. Agreed, I added these. > Incidentally, I think I would recommend removing the blacklist from AC, > since AC has a whitelist. Having both seems pointless. Access Control for Cross-Site Requests does actually allow arbitrary headers in the request, though a preflight request is required if they are not in the whitelist. Therefore it is important that the blacklist is still there to filter out all headers that should not be allowed even if the server agrees. (Arguably this blacklist is not relevant in the XMLHttpRequest case because there those headers are filtered at an earlier level.) -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Friday, 16 May 2008 09:02:13 UTC