On Tue, 8 Apr 2008, Anne van Kesteren wrote: > > On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote: > > I'd wonder what the purprose of this is? I.e. what's the usecase? > > The main use case for not restricting headers too much is that it gives > more consistency with same-origin requests.
That's not a use case, it's a language design decision. I don't think we should change this without a better reason. There's no reason to believe that some servers don't have information in the headers that shouldn't be seen by third-parties, and it's the kind of thing that would be really easy to miss when securing a page for third-party access. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
