On Fri, 18 Apr 2008 03:00:46 +0200, Sunava Dutta
<[EMAIL PROTECTED]> wrote:
So essentially summarizing my two requests for your convenience.
1. Mentioning for each header the reasons for restriction. (I
think security is paramount but for shipped implementations I would
hesitate to reduce surface area of attack unless there is a compelling
reason. It's much harder to restrict once we ship!)
The restrictions on allowed headers have come forth based on
implementation feedback from Opera, Apple, and Mozilla. If you have
feedback that suggests the list of headers should be different, please let
us know.
2. Protecting Access-Control-Origin header from being set in XHR.
Cheers and thank you!
I agree that Access-Control-Origin needs to be blocked, but shouldn't we
add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest
Level 1 seems slightly odd, though I don't feel strongly either way.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
