W3C home > Mailing lists > Public > public-webapi@w3.org > May 2006

Re: Headers / caches proposal (revised)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 2 May 2006 01:33:11 -0700
Message-Id: <3EC172D5-9E00-4FCC-A3DA-F36ED1C6B7C8@apple.com>
Cc: "Web APIs WG (public)" <public-webapi@w3.org>
To: Mark Nottingham <mnot@yahoo-inc.com>


On May 1, 2006, at 5:45 PM, Mark Nottingham wrote:

>
> 3) UAs must not allow the following headers to be set by authors:
>   Accept-Charset, Accept-Encoding, Content-Length, Date, Host, Keep- 
> Alive, Referer, TE, Trailer, Transfer-Encoding
> [example]

I made a proposal about disallowed headers a while back.

http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0225.html

In my proposal, I suggested disallowing the following, with  
justifications given: Connection, Date, Keep-Alive, Trailer, Transfer- 
Encoding, Upgrade, Expect, Host, Referer, TE

I also suggested the following are suspicious and maybe should be  
banned, but did not include a justification:

Via, Accept-Encoding, From, Max-Forwards, Proxy-Authorization

Combining these lists, your list does not include Connection,  
Upgrade, Expect, Via, From, Max-Forwards or Proxy-Authorization. Are  
you convinced all those are safe? Do you think my specific  
justifications for Connection, Upgrade and Expect were wrong?

Your list also includes Accept-Charset, I think that one could  
reasonably either be forbidden or allowed.

I also think the spec should justify why headers are disallowed  
rather than just stating it, it seems oddly out of context to just  
give an arbitrary list.

Regards,
Maciej
Received on Tuesday, 2 May 2006 08:33:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT