Anne van Kesteren wrote:
On Thu, 26 Jul 2007 13:34:39 +0200, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
Why prevent a user from setting the "Content-Access-Control" header?
That is generally a response header and I'd expect servers to ignore it.
If requests with arbitrary headers set can harm a server they are
already vulnerable. Is it really wise to restrict this?
Actually, this is untrue for intranets and such. Hmm.
Intranets are no problem since we should forbid setRequestHeader for
cross-site requests anyway.
/ Jonas
