On Mon, 23 Jul 2007 10:35:27 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
A couple of questions regarding the cross-site XHR proposal:
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012
As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
cross-site requests should alway have the headers set through
setRequestHeader removed. This includes requests done after a redirect
to a different server.
Why prevent a user from setting the "Content-Access-Control" header?
That is generally a response header and I'd expect servers to ignore it.
If requests with arbitrary headers set can harm a server they are already
vulnerable. Is it really wise to restrict this?
What is the purpose of the Referer-Root header? Why can't sites rely on
the Referer header?
Isn't Referer disabled by some third-party software now and then? Such as
antivirus software? Another reason is probably that Referer-Root contains
the exact format needed for the access check. We could use that in the
access-control document probably.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>