Jonas Sicking wrote:
Hi All,
A couple of questions regarding the cross-site XHR proposal:
http://lists.w3.org/Archives/Public/public-webapi/2006Jun/0012
As detailed in http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
cross-site requests should alway have the headers set through
setRequestHeader removed. This includes requests done after a redirect
to a different server.
Oh, I was going to add to this. I plan on allowing "Accept" and
"Accept-Language" to be set even for cross-site requests. Are there
other headers that people think would be useful and safe to allow?
/ Jonas
