Anne van Kesteren wrote:
On Tue, 08 Apr 2008 19:30:42 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
I'd wonder what the purprose of this is? I.e. what's the usecase?
The main use case for not restricting headers too much is that it gives
more consistency with same-origin requests. This presumably allows the
same kind of scenarios that nowadays happen same-origin to be done non
same-origin.
We don't want to allow access to cookie and authentication headers,
right?
Right.
Are you sure there are not anything else like it as well that authors
won't unintentionally expose?
That's what I'm asking for, I suppose.
For what it's worth, I do think that whatever list we come up with
should be part of the access-control spec rather than the XHR2 spec.
This is very much tied in to the security model which is what the
access-control spec describes.
/ Jonas
