On Tue, 17 Jun 2008 06:59:50 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Block lists are unacceptable we all agree. The block list currently in the spec really should be moved to the XMLHttpRequest Level 1 spec as that is where the issue lies, not with the Access-Control spec.
Other host language implementations of Access Control that allow setting of headers need the same kind of protection. That's why the header list is there. Alternatively we could make it a requirement on the host language implementation, e.g. XMLHttpRequest, to do this filtering, but that would still require listing the headers in some way in the Access Control specification.
This applies to the CONNECT, TRACE, and TRACK verbs as well, but I've not yet addressed that in the specification.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
