On Wed, 20 Feb 2008 02:51:34 +0100, Collin Jackson
<[EMAIL PROTECTED]> wrote:
I just realized that I missed that the header security restrictions on
same-origin requests are different from the restrictions on cross-site
requests. Only the "Accept" and "Accept-Language" headers can be set
for cross-site requests.
This policy is much more restrictive -- perhaps overly so, since
authors are encouraged to use setRequestHeader to set the (prohibited)
Content-Type header in Section 3.5.3.
This is now reverted to an open issue mostly coming out of discussion on
the WAF WG list. The latest proposal on how to deal with headers is here:
http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html
I believe that is the way to go.
I have added "Sec-" prefixed headers to the blaclist for
setRequestHeader(). I will also make this change for XMLHttpRequest Level
1.
Another thing you mentioned was adding Cookie (and presumably Cookie2) to
this list as Internet Explorer already does this. I think I'll add those
too unless there are good reasons not to.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
