On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <[EMAIL PROTECTED]> wrote:
On 2/18/08, mike amundsen <[EMAIL PROTECTED]> wrote:
John makes a good point.
There are a number of 'non-spec' HTTP Headers in use that should not
be pre-empted. Some Atom servers support the X-WSSE header[1] is
another one. Trying to come up with a list of allowed headers is
really the wrong way to go.
I suggest someone try to make the opposite case - a header that should
not be allowed.
Been there, done that;
http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html
No, these are completely different cases. What you're referring to is ok
for same-origin requests and is what the same-origin requests still allow.
Non same-origin requests probably require a different policy though.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
