W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: XHR's setRequestHeader and the Do Not Track (DNT) header

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 9 May 2012 19:15:46 -0700
Message-ID: <CAJE5ia_23BQQ68ByZkfforEUWFwO+am1+pusKJ9h5vEpU6SsYw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ian Melven <imelven@mozilla.com>, public-webapps@w3.org, Sid Stamm <sid@mozilla.com>, Tom Lowenthal <tom@mozilla.com>
On Wed, May 9, 2012 at 2:38 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Tue, May 8, 2012 at 9:34 PM, Ian Melven <imelven@mozilla.com> wrote:
>> i'd like to propose that the Do Not Track header (see http://www.w3.org/TR/tracking-dnt/#dnt-header-field) "DNT"
>> be added to the list of request headers not allowed to be set via XHR's setRequestHeader method (see
>> http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#the-setrequestheader%28%29-method)
>
> That shouldn't be a problem. I wonder, should we remove the "Sec-"
> handling? That was suggested at some point as we are special casing
> header naming, but it does not appear to be used.

It's used by WebSockets.

> And given that
> updating this magic list is not really a big problem and browsers are
> updated quick enough maybe that is just as well.

Maybe.  Another perspective is that not all browsers are on the
fast-update train yet and folks might want to define headers that
can't be spoofed by them.

Adam
Received on Thursday, 10 May 2012 02:16:48 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT