- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 11 Apr 2006 23:39:53 +0000 (UTC)
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Web APIs WG <public-webapi@w3.org>
On Mon, 10 Apr 2006, Maciej Stachowiak wrote: > > There's been some discussion of what request headers, if any, XMLHttpRequest > should disallow for setREquestHeader. > > I think we really need a clear idea of what we are trying to do by restricting > headers. I propose that the following are valid reasons to forbid setting a > header: > > 1) It would allow for a possible security hole. Agreed, naturally. > 2) It would allow a client to cause the UA to violate the http RFC (besides > just requirements on syntax, obviously those are possible with any header). Agreed. > 3) It could seriously interfere with correct operation of the network > layer (specifically, it could break in-progress or future requests, or > cause improper responses to be added to the fache. Agreed. But I would add one more. Authors are stupid. We shouldn't provide them with features whose only possible use is for them to shoot themselves in the foot. In other words, I would phrase the question not as "which headers should we restrict", but "which headers should we allow", and only allow those that have valid use cases. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 11 April 2006 23:40:08 UTC