Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call]

On Mon, 19 Apr 2010 05:29:12 +0900, Tyler Close <tyler.close@gmail.com>  
wrote:
> On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> However I do like the idea of having a header which enumerates which
>> additional headers can be exposed. That seems like it'll add similar
>> value to exposing things by default, but with much less risk.
>>
>> Didn't mnot suggest something like that as part of his HTTP review?
>
> If Mozilla agrees to implement it, I'd like UMP to specify a new
> header named "U" whose value is either "*" or a list of allowed
> response headers. A response with this header is opting out of Same
> Origin Policy protection for both the response entity and the listed
> response headers. The response is not required to also include the
> Access-Control-Allow-Origin header, but can for compatibility with
> current implementations.
>
> This solution would get two birds with one stone, allowing use to
> deprecate the verbose and misleading header name that mnot also
> complained about.

You'd still be restricted in terms of the request headers you can use. For  
CORS I plan on using Access-Control-Expose-Headers for consistency. If all  
implementors agree I would be happy to shorten the header names, but at  
this point that seems unlikely.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Monday, 19 April 2010 07:05:37 UTC