Summary: | Cross-Domain XMLHttpRequest deny allowed headers access | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | y8 | ||||
Component: | XML | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED INVALID | ||||||
Severity: | Normal | CC: | ap, ukai | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Mac (Intel) | ||||||
OS: | OS X 10.6 | ||||||
Attachments: |
|
Description
y8
2010-01-14 14:09:59 PST
Created attachment 46604 [details]
XMLHttpRequest cross-domain headers test
The Access-Control-Allow-Headers header only affects what can be put into the request, not what can be read from response. Per the CORS spec, there is no way to get an X-Test response header from a cross-origin request. Please see section 6.1: ------------------------------------------- User agents must filter out all response headers other than those that are an ASCII case-insensitive match for one of the header field names listed below, before exposing response headers to the APIs defined in the hosting specification: * Cache-Control * Content-Language * Content-Type * Expires * Last-Modified * Pragma E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not listed above. |