- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 20 Jun 2011 04:14:54 -0700
On Mon, Jun 20, 2011 at 4:06 AM, Anne van Kesteren <annevk at opera.com> wrote: > On Mon, 20 Jun 2011 13:02:38 +0200, Jonas Sicking <jonas at sicking.cc> wrote: >> >> One thing to keep in mind though is that in the case of XHR, the >> Content-Type header is often in direct control of the page, even >> through means other than setRequestHeader. For example by creating a >> Blob with a specific content type using the .slice method. > > Maybe Blob and File when not packaged in FormData should force a preflight > then? I don't see a reason to do that other than when the Content-Type has a value other than the ones listed in the "simple headers" description. All that I'm saying is that for XHR, there are at least two APIs which allows the page to set headers, .setRequestHeader and .send. Though possibly a safer way to think about it is that the Content-Type header should always be inspected to see if a preflight is needed, no matter if the header is set by the page or by the implementation. I think I like the latter approach more since it seems safer. / Jonas
Received on Monday, 20 June 2011 04:14:54 UTC