W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: XHR: restrictions on request headers

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 11 Apr 2006 23:39:53 +0000 (UTC)
To: Maciej Stachowiak <mjs@apple.com>
Cc: Web APIs WG <public-webapi@w3.org>
Message-ID: <Pine.LNX.4.62.0604112337380.21459@dhalsim.dreamhost.com>

On Mon, 10 Apr 2006, Maciej Stachowiak wrote:
> 
> There's been some discussion of what request headers, if any, XMLHttpRequest
> should disallow for setREquestHeader.
> 
> I think we really need a clear idea of what we are trying to do by restricting
> headers. I propose that the following are valid reasons to forbid setting a
> header:
> 
> 1) It would allow for a possible security hole.

Agreed, naturally.

> 2) It would allow a client to cause the UA to violate the http RFC (besides
> just requirements on syntax, obviously those are possible with any header).

Agreed.

> 3) It could seriously interfere with correct operation of the network 
> layer (specifically, it could break in-progress or future requests, or 
> cause improper responses to be added to the fache.

Agreed.

But I would add one more. Authors are stupid. We shouldn't provide them 
with features whose only possible use is for them to shoot themselves in 
the foot. In other words, I would phrase the question not as "which 
headers should we restrict", but "which headers should we allow", and only 
allow those that have valid use cases.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 11 April 2006 23:40:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT