- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 19 Apr 2010 16:04:48 +0900
- To: "Jonas Sicking" <jonas@sicking.cc>, "Tyler Close" <tyler.close@gmail.com>
- Cc: "Arthur Barstow" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Mon, 19 Apr 2010 05:29:12 +0900, Tyler Close <tyler.close@gmail.com> wrote: > On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> However I do like the idea of having a header which enumerates which >> additional headers can be exposed. That seems like it'll add similar >> value to exposing things by default, but with much less risk. >> >> Didn't mnot suggest something like that as part of his HTTP review? > > If Mozilla agrees to implement it, I'd like UMP to specify a new > header named "U" whose value is either "*" or a list of allowed > response headers. A response with this header is opting out of Same > Origin Policy protection for both the response entity and the listed > response headers. The response is not required to also include the > Access-Control-Allow-Origin header, but can for compatibility with > current implementations. > > This solution would get two birds with one stone, allowing use to > deprecate the verbose and misleading header name that mnot also > complained about. You'd still be restricted in terms of the request headers you can use. For CORS I plan on using Access-Control-Expose-Headers for consistency. If all implementors agree I would be happy to shorten the header names, but at this point that seems unlikely. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 19 April 2010 07:05:37 UTC