mike amundsen wrote:
I've read some threads that lead to me think that the Mozilla plan is
to block certain HTTP Headers in their implementation of CSR. I can't
find any details on this and would like some clarification.
What, if any, HTTP Headers are going to be disallowed? Is this for all
HTTP Methods?
First off, note that there are no particular headers disallowed when
using the access-control spec in general. I.e. any headers normally sent
with a request will be sent for cross-site requests that use the
access-control spec.
We do however limit which headers can be set using the
XMLHttpRequest.setRequestHeader method. Looking at the code it currently
only allows "accept" and "accept-language". Not actually sure what this
very short list was based on. I do think we should at the very least
also allow "content-type". If you have any further suggestions for
headers that you think would be safe, do let me know.
/ Jonas
