- From: Nathan <nathan@webr3.org>
- Date: Wed, 12 May 2010 19:50:09 +0100
- To: public-webapps <public-webapps@w3.org>
All, Serious concern this time, I've just noted that as per 6.1 Cross-Origin Request of the CORS spec, User Agents must strip all response headers other than: * Cache-Control * Content-Language * Content-Type * Expires * Last-Modified * Pragma This simply can't be, many other headers are needed Link header is going to be heavily used (notably for Web Access Control!) Allow is needed when there's a 405 response (use GET instead of POST) Content-Location is needed to be able to show the user the real URI and provide it for subsequent requests and bookmarks Location is needed when a new resource has been created via POST (where a redirect wouldn't happen). Retry-After & Warning are needed for rather obvious reasons. There are non rfc2616 headers on which functionality is often dependent (DAV headers for instance) - SPARQL Update also exposes via the MS-Author-via header. In short there are a whole host of reasons why many different headers are needed (including many not listed here). Nathan
Received on Wednesday, 12 May 2010 18:58:14 UTC