- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 27 Oct 2012 08:28:46 +0200
- To: "Hill, Brad" <bhill@paypal-inc.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
On Sat, Oct 27, 2012 at 1:40 AM, Hill, Brad <bhill@paypal-inc.com> wrote: > http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0004.html > > This bug report on CORS, that the “Last-Event-ID” header should be a simple > header, (along with Origin and Referer based on the status of actual > implementations) is the last substantive change to the document that remains > unresolved. > > I would like to propose we add “Last-Event-ID”, “Origin” and “Referer” to > the set of simple headers. Are there any objections, concerns or comments? Simple headers are matched against author request headers. None of the headers you list is an author request header in their respective standards. They are set by the user agent. Origin and Referer in particular must never be set by web developers. Last-Event-ID would be okay, but the use case is not really compelling in my opinion. -- http://annevankesteren.nl/
Received on Saturday, 27 October 2012 06:29:45 UTC