[Webkit-unassigned] [Bug 33688] Cross-Domain XMLHttpRequest deny allowed headers access
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 14 15:46:03 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=33688
Alexey Proskuryakov <ap at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution| |INVALID
Component|New Bugs |XML
--- Comment #2 from Alexey Proskuryakov <ap at webkit.org> 2010-01-14 15:46:03 PST ---
The Access-Control-Allow-Headers header only affects what can be put into the
request, not what can be read from response. Per the CORS spec, there is no way
to get an X-Test response header from a cross-origin request. Please see
section 6.1:
-------------------------------------------
User agents must filter out all response headers other than those that are an
ASCII case-insensitive match for one of the header field names listed below,
before exposing response headers to the APIs defined in the hosting
specification:
* Cache-Control
* Content-Language
* Content-Type
* Expires
* Last-Modified
* Pragma
E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose
any header not listed above.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list