[access-control] header black list

On Tue, 17 Jun 2008 06:59:50 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Block lists are unacceptable we all agree. The block list currently in
> the spec really should be moved to the XMLHttpRequest Level 1 spec as
> that is where the issue lies, not with the Access-Control spec.

Other host language implementations of Access Control that allow setting  
of headers need the same kind of protection. That's why the header list is  
there. Alternatively we could make it a requirement on the host language  
implementation, e.g. XMLHttpRequest, to do this filtering, but that would  
still require listing the headers in some way in the Access Control  

This applies to the CONNECT, TRACE, and TRACK verbs as well, but I've not  
yet addressed that in the specification.

Anne van Kesteren

Received on Tuesday, 17 June 2008 13:41:35 UTC