- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 17 Jun 2008 15:40:53 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>, "Sunava Dutta" <sunavad@windows.microsoft.com>
- Cc: "Arthur Barstow" <art.barstow@nokia.com>, "Marc Silbey" <marcsil@windows.microsoft.com>, public-webapps <public-webapps@w3.org>, "Eric Lawrence" <ericlaw@exchange.microsoft.com>, "Chris Wilson" <Chris.Wilson@microsoft.com>, "David Ross" <dross@windows.microsoft.com>, "Mark Shlimovich (SWI)" <marksh@microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>, "Zhenbin Xu" <Zhenbin.Xu@microsoft.com>, "Michael Champion" <Michael.Champion@microsoft.com>
On Tue, 17 Jun 2008 06:59:50 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > Block lists are unacceptable we all agree. The block list currently in > the spec really should be moved to the XMLHttpRequest Level 1 spec as > that is where the issue lies, not with the Access-Control spec. Other host language implementations of Access Control that allow setting of headers need the same kind of protection. That's why the header list is there. Alternatively we could make it a requirement on the host language implementation, e.g. XMLHttpRequest, to do this filtering, but that would still require listing the headers in some way in the Access Control specification. This applies to the CONNECT, TRACE, and TRACK verbs as well, but I've not yet addressed that in the specification. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 17 June 2008 13:41:35 UTC