On Thu, 14 Feb 2008 06:59:29 +0100, John Panzer <[EMAIL PROTECTED]> wrote:
Anne van Kesteren wrote:
This is currently not the case for XMLHttpRequest level 2. Based on
feedback from Mozilla only Accept and Accept-Language can be set for
cross-site requests.
(Aside: Surely Content-Type is allowed as well?)
Currently, no.
This rules out the use of AtomPub's (RFC5023) If-Match: header on PUT
for optimistic concurrency control, and the Slug: header[1] on POSTs for
suggesting the URI to mint. The first is especially troublesome.
It also eliminates the ability to do cache control (except crudely by
salting the URL, which of course fills up caches with dead data). It
makes it impossible to use the common X-Method-Override work-around for
intermediaries which don't support things other than GET and POST. It
prevents the use of the Range: header to get a subset of a resource.
And of course it prevents the use of any custom X- header for any
purpose.
I agree that it provides a lot of limitations. I believe the primary
concern is not provide new attack vectors. GET requests you can currently
issue don't allow setting of custom headers, for instance. However, this
concern does not apply to POST/PUT, etc. as there you make an initial
request to see if the server is ok with it.
Jonas?
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
