On Wed, 14 May 2008 22:45:32 +0200, Ian Hickson <[EMAIL PROTECTED]> wrote:
On Wed, 14 May 2008, Bjoern Hoehrmann wrote:
Note that there are more headers on the list than the ones listed above,
specifically Proxy-*, Sec-*, and it is unclear how to handle, say, the
Cookie and Authorization header.
I think I would lump the Cookie, Cookie2, and Authorization headers in
the
same bucket as, e.g., Host -- these are headers that the UA should be
setting and not headers that should be under author control.
Agreed, I added these.
Incidentally, I think I would recommend removing the blacklist from AC,
since AC has a whitelist. Having both seems pointless.
Access Control for Cross-Site Requests does actually allow arbitrary
headers in the request, though a preflight request is required if they are
not in the whitelist. Therefore it is important that the blacklist is
still there to filter out all headers that should not be allowed even if
the server agrees. (Arguably this blacklist is not relevant in the
XMLHttpRequest case because there those headers are filtered at an earlier
level.)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
