On Tue, 15 Jul 2008 10:20:09 +0200, Ian Hickson <[EMAIL PROTECTED]> wrote:
On Tue, 15 Jul 2008, Anne van Kesteren wrote:
CROSS-SITE POST
We limit the amount of Content-Type header values people can set for the
simple cross-site POST request to those you can use with HTML forms
today. This list will not become a fixed list until we work out how
Access Control for Cross-Site Requests will work together with HTML5
forms.
This will lead to people lying about Content-Types, which is one of the
big problems with XDR. I don't think this is a good thing. (In
particular, it prevents us from sending XML over XHR, which is dumb
given the name of
the object if nothing else! Sending JSON and XML are the two biggest use
cases of this API.)
The idea is not to prevent it, but to require a preflight request for the
non-HTML forms Content-Types.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
