W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] proxy-connection header

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Jul 2007 00:34:54 -0700
Message-ID: <46A45A1E.3030201@sicking.cc>
To: Julian Reschke <julian.reschke@gmx.de>
CC: Web APIs WG <public-webapi@w3.org>

Julian Reschke wrote:
> Jonas Sicking wrote:
>> The XHR spec currently allows users to set the "Proxy-Connection" 
>> header using setRequestHeader method. I couldn't find a spec for it 
>> other than some discussions here:
>> ...
> As far as I can tell, the spec doesn't even mention the header.
> Are you saying the spec should disallow setting a header that isn't even 
> registered (<http://www.iana.org/assignments/message-headers/>)?

Yes, if it's a security problem not to. IMHO that should be the 
determining factor.

Actually, I'm wondering if we should disallow any header starting with 
"Proxy-". For example Proxy-Authorization header looks scary to me.

/ Jonas
Received on Monday, 23 July 2007 07:35:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:24 UTC