W3C home > Mailing lists > Public > public-webapi@w3.org > May 2006

Headers / caches proposal

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Mon, 1 May 2006 15:13:48 -0700
Message-Id: <6AF75C3A-1D3E-4A3F-BB39-3FDF9C29D9F9@yahoo-inc.com>
To: "Web APIs WG (public)" <public-webapi@w3.org>

This is actually split across send and setRequestHeader;

* send()

If the UA allows the specification of a proxy, it should modify the  
request appropriately; i.e., connect to the proxy host instead of the  
origin server, modify the Request-Line and send Proxy-Authorization  
headers as specified.

If the UA supports HTTP Authentication [RFC2617],  it should consider  
XHR calls to be part of the protection space that includes the  
accessed URIs, and send Authorization headers and handle 401  
Unauthorised requests appropriately. if authentication fails, UAs  
should prompt the users for credentials.

If the UA supports HTTP State Mangement [RFC2109 RFC2965], it should  
persist, discard and send cookies (as received in the Set-Cookie and  
Set-Cookie2 response headers, and sent in the Cookie header) as  
applicable.

If the UA implements a HTTP cache [RFC2616], it should respect Cache- 
Control request headers set by the author (e.g., "Cache-Control: no- 
cache" bypasses the cache). It must not send Cache-Control or Pragma  
request headers automatically unless the user explicitly requests  
such behaviour (e.g., by force-reloading the page). 304 Not Modified  
responses that are a result of a UA-generated conditional request  
must be presented as 200 OK responses with the appropriate content.  
Such UAs must allow authors to override automatic cache validation by  
setting request headers (e.g., If-None-Match, If-Modified-Since), in  
which case 304 Not Modified responses must be passed through.

If the UA implements server-driven content-negotiation [RFC2616], it  
should set Accept-Language, Accept-Encoding and Accept-Charset  
headers as appropriate; it must not automatically set the Accept  
header. Responses to such requests must have content-codings  
automatically removed.

* setRequestHeader()

The nominated request header field value must be set to value, with  
the following exceptions;

1) Nothing must be done if the header or value arguments contain any U 
+000A LINE FEED or U+000D CARRIAGE RETURN characters, or if the  
header argument contains any U+0020 SPACE or U+003A COLON charecters.

2) UAs must not allow the following headers to be set by authors:
   Accept-Charset, Accept-Encoding, Content-Length, Connection, Date,  
Host, Keep-Alive, Referer, TE, Trailer, Transfer-Encoding

Implementations must replace any existing value if the nominated  
request header field value is one of:
   Authorization, Content-Base, Content-Location, Content-MD5,  
Content-Range, Content-Type, Content-Version, Delta-Base, Depth,  
Destinaion, ETag, Expect, From, If-Modified-Since, If-Range, If- 
Unmodified-Since, Max-Forwards, MIME-Version, Overwrite, Proxy- 
Authorization, SOAPAction, Timeout

Otherwise, if the nominated request header field already has a value,  
the new value must be combined with the existing value, as specified  
by [RFC2616 Section 4.2].



--
Mark Nottingham
mnot@yahoo-inc.com
Received on Monday, 1 May 2006 22:15:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT