- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 2 May 2006 01:33:11 -0700
- To: Mark Nottingham <mnot@yahoo-inc.com>
- Cc: "Web APIs WG (public)" <public-webapi@w3.org>
On May 1, 2006, at 5:45 PM, Mark Nottingham wrote: > > 3) UAs must not allow the following headers to be set by authors: > Accept-Charset, Accept-Encoding, Content-Length, Date, Host, Keep- > Alive, Referer, TE, Trailer, Transfer-Encoding > [example] I made a proposal about disallowed headers a while back. http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0225.html In my proposal, I suggested disallowing the following, with justifications given: Connection, Date, Keep-Alive, Trailer, Transfer- Encoding, Upgrade, Expect, Host, Referer, TE I also suggested the following are suspicious and maybe should be banned, but did not include a justification: Via, Accept-Encoding, From, Max-Forwards, Proxy-Authorization Combining these lists, your list does not include Connection, Upgrade, Expect, Via, From, Max-Forwards or Proxy-Authorization. Are you convinced all those are safe? Do you think my specific justifications for Connection, Upgrade and Expect were wrong? Your list also includes Accept-Charset, I think that one could reasonably either be forbidden or allowed. I also think the spec should justify why headers are disallowed rather than just stating it, it seems oddly out of context to just give an arbitrary list. Regards, Maciej
Received on Tuesday, 2 May 2006 08:33:22 UTC