On Thu, 14 Feb 2008 00:36:05 +0100, Ian Hickson <[EMAIL PROTECTED]> wrote:
On Wed, 13 Feb 2008, John Panzer wrote:
Some of today's APIs like Flickr put authorization evidence into URL
query parameters for CSR. It's mildly bad to do this because such
things are more likely to get logged and sniffed than headers, and you
can't separate the resource URL from the authorization proof being
presented to use it, which would be useful in caching.
Also agreed. That's one of the reasons that XMLHttpRequest + Access
Control together let you set arbitrary extension headers.
This is currently not the case for XMLHttpRequest level 2. Based on
feedback from Mozilla only Accept and Accept-Language can be set for
cross-site requests.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
