On Mon, May 12, 2008 at 8:11 AM, Anne van Kesteren <[EMAIL PROTECTED]> wrote: > > 2. Protecting Access-Control-Origin header from being set in XHR. > > Cheers and thank you! > > I agree that Access-Control-Origin needs to be blocked, but shouldn't we > add this header in XMLHttpRequest Level 2? Adding it in XMLHttpRequest Level > 1 seems slightly odd, though I don't feel strongly either way.
One option is to rename the header "Sec-Origin", which is already blocked in XHR Level 1. Adam
