Anne van Kesteren wrote:
On Mon, 07 Apr 2008 21:18:03 +0200, Elias Sinderson <[EMAIL PROTECTED]>
wrote:
Anne van Kesteren wrote:
I have updated the editor's draft of the Access Control for
Cross-site Requests specification to include support for HTTP
headers [...] Nothing else has changed because no other changes have
been proposed.
Thanks for the update, much appreciated.
I see no mention of If-* headers and cannot recall there being reason
provided to omit them (on-list, at least). Certainly being able to
make conditional requests that would otherwise be allowed as
non-conditional should be allowed?
They are allowed. Though even for GET requests they would require a
preflight request first. Currently the only headers that are allowed
without preflight (only GET requests can go without a preflight) are
Accept and Accept-Language, based on earlier feedback from Ian Hickson.
However, maybe we should simply remove those and always require a
preflight request for a request with "custom" headers. Not sure.
I think it's useful to have a white-list of headers that should be safe
for GET requests without a pre-flight request. I would actually like to
expand the list a little. There was a thread on that a while ago, but it
seemed to have died without reaching a useful list.
/ Jonas
