Jonas Sicking wrote:
Jonas Sicking wrote:
Hi All,
A couple of questions regarding the cross-site XHR proposal:
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012
As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
cross-site requests should alway have the headers set through
setRequestHeader removed. This includes requests done after a redirect
to a different server.
Oh, I was going to add to this. I plan on allowing "Accept" and
"Accept-Language" to be set even for cross-site requests. Are there
other headers that people think would be useful and safe to allow?
Could you point me to the rational for forbidding setting headers in the
first place? HTTP headers are an important extension point (see for
example APP "Slug"), but disallowing then completely seems to be a very
drastic measure.
Best regards, Julian
