On 24/12/2011 1:32 a.m., Amos Jeffries wrote:
Now that tools are being implemented to access the cache manager via
http:// scheme we need to accomodate the browser XSS protection
mechanisms which limit XHR based scripts abilities.
This adds CORS headers to manager responses. Permitting XHR to view
the Server header (to detect squid version for known capabilities) and
to flag that the XHR request may need access to credentials for
authenticating with the manager.
This also closes the feature bug 3407 requesting we support the
non-standard "Origin:" header, which is used by the CORS mechanisms.
Future work:
Support the OPTIONS request used by CORS to detect requirements
before POSTing. We do not yet use POST in the main code so that is
left until needed.
Amos
Applied to trunk.
Amos
