Anne van Kesteren wrote:
On Tue, 17 Jun 2008 06:59:50 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Block lists are unacceptable we all agree. The block list currently in
the spec really should be moved to the XMLHttpRequest Level 1 spec as
that is where the issue lies, not with the Access-Control spec.
Other host language implementations of Access Control that allow setting
of headers need the same kind of protection. That's why the header list
is there. Alternatively we could make it a requirement on the host
language implementation, e.g. XMLHttpRequest, to do this filtering, but
that would still require listing the headers in some way in the Access
Control specification.
These aren't headers that are dangerous in a cross-site environment,
these are headers that are dangerous period. So any other spec that
supports a sufficently large part of the HTTP spec would need to worry
about them, whether it uses Access-Control or not.
This applies to the CONNECT, TRACE, and TRACK verbs as well, but I've
not yet addressed that in the specification.
Same thing here.
Listing these headers and methods in the AC spec just results in a
situation where specs can get out of sync. It seems much better to put
the headers in the XHR spec for now, and if any other spec ends up with
the same issues it can refer to the XHR spec.
Having it in the AC spec is only a source of confusion so far.
/ Jonas
