whoah, whoah.... I have really wanted to use cross-site http requests, but I'm having some trouble understanding certain decisions here.<p>Why are they using a new set of HTTP headers to describe scenarios that are already covered by HTTP response codes? Why does the client send an Origin header at all in the first place, when it can be inferred from the referer? Why does the server respond with a list of allowed origins, when it could simply send an HTTP response code to say allowed/not allowed/auth required/etc.<p>I'm probably missing something, but this just doesn't add up...<p>EDIT:<p>Oh - maybe because there isn't a good javascript interface to HTTP response codes? Well, it sounds like a client-side solution would be to build this interface, rather than making the server support some weird headers that will still rely on the client to faithfully perform access control.