RE: XHR setting headers

>> IMHO we need either removeRequestHeader(), getRequestHeader(), or both.

GetRequestHeader could pose a security risk, because you could then GetRequestHeader (Cookie) and steal HTTPOnly cookies.

-----Original Message-----
From: public-webapi-request@w3.org [mailto:public-webapi-request@w3.org] On Behalf Of Julian Reschke
Sent: Thursday, April 17, 2008 6:32 AM
To: Peter Michaux
Cc: public-webapi@w3.org
Subject: Re: XHR setting headers


Peter Michaux wrote:
> The XMLHttpRequest spec says "The setRequestHeader() method appends a
> value if the HTTP header given as argument is already part of the list
> of request headers."
> This is fine but what is a problem is whether or not a new
> XHMHttpRequest object has any default headers. I was trying to use the
> Accept header a few days ago and I wanted to have only
>
> Accept: application/json
>
> but Opera has a default header
>
> Accept: text/html, text/xhtml, etc
>
> so my application/json was appended to the front of that list which
> makes my Accept header useless as part of the client-server
> communication. The server thinks that the client knows what to do with
> text/html. My JavaScript certainly does NOT know what to do with
> text/html. My JavaScript only knows how to handle application/json.
>
> I think all XMLHttpRequest headers should be specified as blank when
> the object is created. Then the JavaScript can add any headers it
> needs to add. If, when the call to send() occurs, some essential
> header(s) is missing the XHMLHttpRequest object should add these
> automatically but only according to specified behavior.

The whole "append" semantics is problematic as long as the user can't
find out what the current value is.

IMHO we need either removeRequestHeader(), getRequestHeader(), or both.

BR, Julian

PS: I may sound like a broken record WRT this, but anyway.

Received on Monday, 21 April 2008 23:10:10 UTC