On Fri, 22 Feb 2008 06:47:24 +0100, Jonas Sicking <[EMAIL PROTECTED]> wrote:
So this means that we're saying that if the server sends a response like
Access-Control: allow <*>
to an OPTIONS request, the server should be prepared to handle requests
that contain *any* user set header? I know we've talked about having
another header in the reply to the OPTIONS request that specified which
headers would be allowed. This would make me feel safer to be honest.
I don't think we should go there. That would complicate things a lot and
given that the headers will not be part of the OPTIONS request I don't
really see the problem. Also note that we had something like that before
for HTTP methods and removed it.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
