W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: XMLHttpRequest Object feedback

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 21 Apr 2006 15:34:54 +0200
To: "Mark Nottingham" <mnot@yahoo-inc.com>
Cc: "Web APIs WG (public)" <public-webapi@w3.org>
Message-ID: <op.s8c1cgqc64w2qv@id-c0020.oslo.opera.com>

On Thu, 06 Apr 2006 03:04:53 +0200, Mark Nottingham <mnot@yahoo-inc.com>  
wrote:
> Great stuff! A few quick comments on the draft;
>
> * responseText attribute - type the response as an HTTP entity  
> explicitly (you already do this for the request data); that way, there's  
> no ambiguity about what level the implementation operates at. I.e., XHR  
> won't give you direct access to the raw HTTP bytestream, with  
> transfer-codings like chunked visible.

So what exactly is the right term? I looked up "response entity",  
"response body" and "request body" and they seem to be used in RFC 2616  
but not really properly defined anywhere... I'm probably missing something  
though, a pointer to a section would be welcome.


> * open() - "If the URI given to this method contains a user name and a  
> password (the latter being the empty string), then these MUST be used if  
> the user and password arguments are omitted."  This is confusing; some  
> developers might think that the query arguments (for example) would  
> contain a user name and password. I *assume* you're referring to the  
> userinfo production in RFC3986; e.g.,
>    http://user:pass@host.name/path/?query
> It may be better to use this terminology ("userinfo") explicitly, along  
> with an appropriate reference.

This should be fixed.


> Also, AIUI, the security gods have determined that userinfo is a no-no  
> in URLs, and IE (for example) doesn't support it (at least in the  
> browser, not sure about XmlHttpRequest; must add that to the test  
> suite...). See:
>    http://lists.w3.org/Archives/Public/uri/2004Feb/0001.html

I have mentioned that usage of userinfo is discouraged and that  
implementations MAY not support it...


> WRT supported methods, it should support PUT, DELETE, FOO and anything  
> else that's syntactically correct.

I suggest your partake in ISSUE-74.


> WRT URIs, what should happen when I pass it a URI with a fragment  
> identifier?

Do you perhaps know what implementations do?


> * send() - I'd say that if there is data passed in the send method args,  
> it MUST be passed; not just if it's POST or PUT.

Could you raise this separately perhaps?


> Nit - WRT redirect loops, there's a caveat on it, so it's a SHOULD, not  
> a MUST.

That caveat is mentioned, I don't really see the problem. (For example,  
what would be the problem with saying "Imp MUST do A unless B is C."?)


> When talking about redirects, it would be really nice to remind  
> implementers (probably non-normatively) that HTTP has requirements about  
> method preservation and getting approval for the user for the various  
> codes; see http://www.mnot.net/javascript/xmlhttprequest/

Suggestions for text? I also wonder what kind of implications it would  
have for implementations given that currently most seem to ignore it.


> If implementations are allowed to encoding/decode content-codings (i.e.,  
> automatically manipulate Accept-Encoding/Content-Encoding), say so  
> explicitly.

This is currently unclear. Some people object to this and other people  
want it, mostly for being able to set Accept-Encoding to US-ASCII I  
believe.


> Content-coding is a property of the content (entity, representation,  
> whatever) itself -- just like content-type and content-language -- and  
> automatically handling it breaks layering (which is OK, as long as you  
> do it explicitly). This means that if decoding is handled automagically,  
> the appropriate part of the Content-Encoding header should probably be  
> stripped, so the app doesn't get confused.

What do you mean?


> * setRequestHeader() -  HTTP allows header field-values to contain  
> linefeeds and cr's; they should be allowed here.

Why? As I understand section 4.2 they don't affect the actual value.


> The specification of concatenation of headers is too simplistic; a  
> header can be split across multiple lines, or have multiple entries.  
> Some implementations will do this to avoid header length limitations out  
> there.

What is wrong with keeping this consistent? I don't really care about  
making it more loose, but it should probably be discussed first. Perhaps  
raise this separately?


> Also, some headers are specified to have only a single value (not a  
> list), and some implementations might take advantage of that knowledge  
> to overwrite them, rather than concatenate new values. The current  
> language effectively disallows that.

...


> Say something to the effect that if the UA has a cache, it MUST honour  
> Cache-Control request headers sent with setRequestHeader(). This allows  
> the application to control the cache.

So we need more text besides "In particular, UAs MUST NOT automatically  
set the <code>Cache-Control</code> or <code>Pragma</code> headers to  
defeat caching [RFC2616]."?


> It seems a *little* draconian to not allow the user to control If- 
> Modified-Since, If-None-Match and If-Range. Range should definitely be  
> available to users; somebody might know what they're doing. :)

This has been changed.


> The wording around Connection and Keep-Alive leads developers to believe  
> that they always have to set these headers; that's not the case.

Why? It specifically mentions UAs...


> "set" should probably be "use", and Content-Length should be in there  
> too. In fact, I'd require UAs to set Content-Length; while theoretically  
> you can chunk a request body, there are some practical interop problems  
> with doing so.

Could you elaborate on that?


> The Referer header MUST be set, and MUST NOT be overridable; once  
> cross-site XHR is available, sites will want to use it for security,  
> logging, etc.

Lets defer this to the separate thread on that, ok?


> What about automatically setting headers to do with delta encoding  
> (RFC3229)? TE (for transfer encoding negotiation)? Content-MD5 (for  
> request body integrity)? Meter (HTTP hit metering from caches)? The UA-*  
> request headers? MUST NOT is too strong a prohibition for  
> automatically-set headers; I'd suggest SHOULD NOT. (The response shown  
> in the "Manipulating response headers" example is actually impossible  
> for conforming implementations to see; you need to send TE to get a  
> Transfer-Encoding back).

Would it work if I removed "Transfer-Encoding: chunked" from the example?  
And what are your suggestions for those other headers?


> * In open(), send() and setRequestHeader(), it says that the userinfo  
> MUST be used. This is too simplistic; a naive implementation will send  
> them optimistically as HTTP Basic authentication, which is the wrong  
> thing to do from a security perspective. If they're supplied, the UA  
> needs to wait for a 401 Unauthenticated response, so it can learn that  
> a) credentials are required and b) what scheme (and details thereof) to  
> use.

So "request to uri using method method, authenticating using user  and  
password as appropriate is sent" should have some addition?

    Otherwise, the readyState attribute MUST be set to 2 (Sent)
    and a request to uri using method method, authenticating
    using user  and password as appropriate is sent. UAs MUST NOT
    use HTTP Basic authentication when doing so, instead they
    MUST wait for a 401 Unauthenticated response and use its
    details to perform the request.

Something like the above?


> Also, if the browser is already sending credentials for a particular  
> protection space (to use RFC2617 terminology), XHR SHOULD send them when  
> accessing resources in the same space. It'll need to define precedence  
> between these and those explicitly used in a call (which would override,  
> I presume).

Please raise a separate issue on this.

Your comments are much appreciated.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Friday, 21 April 2006 13:35:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT