On Fri, 15 Feb 2008 17:14:24 +0100, Kris Zyp <[EMAIL PROTECTED]> wrote:
1. Why for non same-origin requests, are users limited to only setting "Accept" and "Accept-Language" HTTP headers. Couldn't we allow a larger set of safe headers to be included? At least one could define a prefixed set of allowable headers (like users could set headers "Cross-*"). This seems an excessive restraint and prevents some very useful functionality.
There's a new proposal for this: http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html I think it addresses your concerns.
2. Can non-GET access only be granted as a response to user agent OPTION requests? Is there a reason that servers can't preemptively include access control headers (including policy path and max age) in GET responses to grant future non-GET request? Since most non-GET requests will probably be preceded by GET requests, it seems like user agents could more efficiently determine access level if prior responses explicity granted access. Of course, using the OPTION requests as outlined in the WD would still be appropriate if prior responses (if any) had not granted access.
No such optimization has been discussion and I'm not sure we should add it. If this indeed becomes a common pattern we can always optimize later. (Premature optimization and all...)
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
