Anne van Kesteren wrote:
Currently XMLHttpRequest Level 2 has restrictions on getting response
headers when doing a cross-site request. I have a feeling these may be
an artifact of the slightly older model.
getAllResponseHeaders() returns the empty string currently.
getResponseHeader(header) returns null unless header is one of
Cache-Control, Content-Language, Content-Type, Expires, Last-Modified,
Pragma.
I think we should be able to change this. (Though we can't expose
Set-Cookie and Set-Cookie2 obviously.)
Any thoughts?
(I bbc'ed the WAF WG list as there might be some people there interested
in this. Please reply to the Web API WG list. I'll be happy when this
work ends up in the same group soonish...)
I'd wonder what the purprose of this is? I.e. what's the usecase?
We don't want to allow access to cookie and authentication headers,
right? Are you sure there are not anything else like it as well that
authors won't unintentionally expose?
/ Jonas
