W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: XHR setRequestHeader("connection", "close") is bogusly rejected

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 07 Mar 2008 15:29:09 -0800
Message-ID: <47D1CFC5.4080802@sicking.cc>
To: Morgan L <morganl.webkit@yahoo.com>
CC: public-webapi@w3.org

Morgan L wrote:
> Hi, I'm writing about what appears to be an error in
> the XHR TR.
> In section 2 of http://www.w3.org/TR/XMLHttpRequest/,
> it says that setRequestHeader should reject the
> connection header.
> However, there are web apps in existence (e.g., Gmail)
> that set the "connection: close" header to inform the
> user-agent that the HTTP transaction is going to take
> a long time.  (This is also informative for the
> server.)  This allows a user-agent to not count this
> connection against the RFC 2616 recommended maximum of
> 2 persistent connections per host.
> So, it seems to me that the arguments
> setRequestHeader("connection", "close") should be
> allowed.
> More details in this WebKit bug:
> http://bugs.webkit.org/show_bug.cgi?id=17682
> It looks like recent versions of WebKit and Gecko
> block the "connection" request header per this TR. 
> However, Firefox 2 does not.

We do block, but not because of this TR. IIRC there are security issues 
with other values for connection, though I don't specifically remember 
what they are. However setting something like "connection: keep-alive" 
when the browser is not expecting that could have bad effects on other 
connections to that server.

/ Jonas
Received on Friday, 7 March 2008 23:29:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:25 UTC