So these are the open issues as far as I can tell. I haven't tried
addressing any of them yet as I hope we get some more feedback first, but
at some point we'll have to move forward.
Issue 1
Define a list of request headers that don't trigger a preflight request
for a request using the HTTP GET method. We already got some input on
this. Once I get the WebApps wiki to work we should maybe list them there
so we can brainstorm about it. The list would need to be evaluated by
security folks.
Issue 2
Define a list of resposne headers that can be read after a cross-site
request. The Access Control specification needs to clearly define which
response headers are visible after a cross-site request. This information
is currently in the XMLHttpRequest Level 2 specification (in the
getResponseHeader() section) and should be moved.
Issue 3
Jonas Sicking says there's a third issue, but he hasn't elaborated on that
yet.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
