Support for the deny="" pseudo-attribute on <?access-control?> and "deny" ruleset on the Access-Control HTTP header should be removed from the implementation as it has been removed from the specification on request of Jonas Sicking. They are not necessary given that the server can be easily configured to reject cross-site requests and there's an exclude clause to denote exceptions to the allow clause already.
We're not doing cross-site XHR for this release due to security concerns :(
This was done as part of bug 389508
9 years ago