I propose the following HTTP Headers be added to the white list: Accept Accept-Language Accept-Ranges Age Allow Cache-Control Content-Disposition Content-Language Content-Location Content-MD5 Content-Range Content-Type ETag Expect Expires From If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Last-Modified Location Max-Forwards Pragma Range Refresh Retry-After Server Transfer-Encoding User-Agent Vary Warning
Also, in reading the proposal, I'm not clear on how black-listed headers will be treated. For example, the XMLHttpRequest spec marks the Content-Length header as restricted. I assume you mean restricted from scripting authors and not removed from the collection of headers passed between client and server. MikeA On Mon, Feb 25, 2008 at 3:51 PM, Anne van Kesteren <[EMAIL PROTECTED]> wrote: > > On Fri, 22 Feb 2008 08:21:26 +0100, John Panzer <[EMAIL PROTECTED]> wrote: > > Looks good to me. (Is there a way for a server to distinguish a > > preflight for a GET vs. a preflight for a POST? Probably fine either > > way.) > > No. At some point we had a request header that indicated for which method > the preflight request was but we dropped that along with whitelisting > specific methods. I don't think it's necessary, but please do tell if you > come up with something. > > > > > -- > Anne van Kesteren > <http://annevankesteren.nl/> > <http://www.opera.com/> > > -- mca http://amundsen.com/blog/
