W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

Re: [webappsec] CORS bug 19315

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 27 Oct 2012 08:28:46 +0200
Message-ID: <CADnb78jP+wVkFjnD4+mMHKui3YY6umEd5q13dfLcQi+0PsXDnQ@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
On Sat, Oct 27, 2012 at 1:40 AM, Hill, Brad <bhill@paypal-inc.com> wrote:
> http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0004.html
> This bug report on CORS, that the “Last-Event-ID” header should be a simple
> header, (along with Origin and Referer based on the status of actual
> implementations) is the last substantive change to the document that remains
> unresolved.
> I would like to propose we add “Last-Event-ID”, “Origin” and “Referer” to
> the set of simple headers.   Are there any objections, concerns or comments?

Simple headers are matched against author request headers. None of the
headers you list is an author request header in their respective
standards. They are set by the user agent. Origin and Referer in
particular must never be set by web developers. Last-Event-ID would be
okay, but the use case is not really compelling in my opinion.

Received on Saturday, 27 October 2012 06:29:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:29 UTC