W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Expanding setRequestHeader() blacklist (was: Re: XHR LC comments)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 16 May 2008 11:01:38 +0200
To: "Ian Hickson" <ian@hixie.ch>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: public-webapi@w3.org
Message-ID: <op.ua8oo0c464w2qv@annevk-t60.oslo.opera.com>

On Wed, 14 May 2008 22:45:32 +0200, Ian Hickson <ian@hixie.ch> wrote:
> On Wed, 14 May 2008, Bjoern Hoehrmann wrote:
>> Note that there are more headers on the list than the ones listed above,
>> specifically Proxy-*, Sec-*, and it is unclear how to handle, say, the
>> Cookie and Authorization header.
> I think I would lump the Cookie, Cookie2, and Authorization headers in  
> the
> same bucket as, e.g., Host -- these are headers that the UA should be
> setting and not headers that should be under author control.

Agreed, I added these.

> Incidentally, I think I would recommend removing the blacklist from AC,
> since AC has a whitelist. Having both seems pointless.

Access Control for Cross-Site Requests does actually allow arbitrary  
headers in the request, though a preflight request is required if they are  
not in the whitelist. Therefore it is important that the blacklist is  
still there to filter out all headers that should not be allowed even if  
the server agrees. (Arguably this blacklist is not relevant in the  
XMLHttpRequest case because there those headers are filtered at an earlier  

Anne van Kesteren
Received on Friday, 16 May 2008 09:02:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:26 UTC