- From: François REMY <fremycompany_pub@yahoo.fr>
- Date: Mon, 22 Jun 2009 08:17:33 +0200
- To: "Anne van Kesteren" <annevk@opera.com>, "Robert O'Callahan" <robert@ocallahan.org>
- Cc: "CSS 3 W3C Group" <www-style@w3.org>
From: "Anne van Kesteren" <annevk@opera.com> > On Mon, 22 Jun 2009 08:00:12 +0200, François REMY > <fremycompany_pub@yahoo.fr> wrote: >> From: "Anne van Kesteren" <annevk@opera.com> >>> Where is this header defined? >> >> In the XHR Cross-Site Scripting module, if I remember. > > I'm not sure what you mean by that, though as editor of the XMLHttpRequest > specifications (and as editor of CORS) I can tell you there is no > X-Allow-... header defined in those specifications. Sorry, I looked at the specification and you're right. The correct name is : Access-Control-Allow-Origin >>> Making it use the same headers as the CORS protocol but with wildly >>> different semantics does not seem like a good idea to me. Also, I'm >>> somewhat skeptical that something which negatively affects clients that >>> implement it when incorrectly used can be successfully deployed. >> >> If they can use if for the XHR, why could they not use it for trying to >> secure their own documents ? > > It is not about restricting. As I said earlier CORS is about _lifting_ a > restriction (that is a present e.g. with XMLHttpRequest), not imposing > one. This is the intent of my request, indeed. I never said a simple header would provide full restriction. > -- > Anne van Kesteren > http://annevankesteren.nl/
Received on Monday, 22 June 2009 06:18:03 UTC