- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 22 Jun 2009 08:08:25 +0200
- To: François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>
- Cc: "CSS 3 W3C Group" <www-style@w3.org>
On Mon, 22 Jun 2009 08:00:12 +0200, François REMY <fremycompany_pub@yahoo.fr> wrote: > From: "Anne van Kesteren" <annevk@opera.com> >> Where is this header defined? > > In the XHR Cross-Site Scripting module, if I remember. I'm not sure what you mean by that, though as editor of the XMLHttpRequest specifications (and as editor of CORS) I can tell you there is no X-Allow-... header defined in those specifications. >> Making it use the same headers as the CORS protocol but with wildly >> different semantics does not seem like a good idea to me. Also, I'm >> somewhat skeptical that something which negatively affects clients that >> implement it when incorrectly used can be successfully deployed. > > If they can use if for the XHR, why could they not use it for trying to > secure their own documents ? It is not about restricting. As I said earlier CORS is about _lifting_ a restriction (that is a present e.g. with XMLHttpRequest), not imposing one. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 22 June 2009 06:09:11 UTC