On 12.05.2010 22:39, Nathan wrote:
Devdatta wrote:
As for the "should CORS exist" discussion, I'll bow out of those until
we're starting to move towards officially adopting a WG decision one
way or another, or genuinely new information is provided which would
affect such a decision (for the record, I don't think I've seen any
new information provided since last fall's TPAC).
exactly -- I don't see this thread getting anywhere.
Vendors & Spec writers,
What would be really nice is if you gave us server admins, application
server-side developers and data publishers a say in this.
Thus I'll propose a new header:
Allow-XHR = "Allow-XHR" ":" Allow-XHR-v
Allow-XHR-v = "none" | "negotiate" | "all"
"none" defines no XHR access
"negotiate" defines the UA should negotiate CORS or UMP headers (leave
that up to you guys to decide what's best ;)
"all" defines that the UA should process the XHR request as a normal
client HTTP request leaving all information + headers intact.
...
From the side line: I hear that people were worried about having to add
new response headers just for CORS & friends. Was it ever discussed to
send these response headers only based on something in the *request*?
Best regards, Julian
