On Mon, 19 Apr 2010 05:29:12 +0900, Tyler Close <[email protected]>
wrote:
On Fri, Apr 16, 2010 at 5:52 PM, Jonas Sicking <[email protected]> wrote:
However I do like the idea of having a header which enumerates which
additional headers can be exposed. That seems like it'll add similar
value to exposing things by default, but with much less risk.
Didn't mnot suggest something like that as part of his HTTP review?
If Mozilla agrees to implement it, I'd like UMP to specify a new
header named "U" whose value is either "*" or a list of allowed
response headers. A response with this header is opting out of Same
Origin Policy protection for both the response entity and the listed
response headers. The response is not required to also include the
Access-Control-Allow-Origin header, but can for compatibility with
current implementations.
This solution would get two birds with one stone, allowing use to
deprecate the verbose and misleading header name that mnot also
complained about.
You'd still be restricted in terms of the request headers you can use. For
CORS I plan on using Access-Control-Expose-Headers for consistency. If all
implementors agree I would be happy to shorten the header names, but at
this point that seems unlikely.
--
Anne van Kesteren
http://annevankesteren.nl/
