Re: ISSUE-24 (Allow List Scope): Which headers should be allowed in the Allow List? [Access Control] from Jonas Sicking on 2008-07-01 (public-webapps@w3.org from July to September 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 01 Jul 2008 14:59:21 -0700
To: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <486AA8B9.80409@sicking.cc>

Web Applications Working Group Issue Tracker wrote:
> ISSUE-24 (Allow List Scope): Which headers should be allowed in the Allow List? [Access Control]
> 
> http://www.w3.org/2008/webapps/track/issues/
> 
> Raised by: Doug Schepers
> On product: Access Control
> 
> What is the full range of headers that should be allowed in AC?  What is the process to add them?

To be specific, this is about which headers are in the white-list of 
headers that do not need preflight checking for GET requests. Currently 
the list is only:

Accept
Accept-Language

but we might want to add more. However note that any other header can be 
sent, but requires explicit opt-in from the server.

/ Jonas

Received on Tuesday, 1 July 2008 22:00:52 UTC