[whatwg] headers for XMLHttpRequests

Replying to myself...

On 20 Jun 2005 at 15:52, Hallvord Reiar Michaelsen Ste wrote:

> Commenting on 
> http://www.whatwg.org/specs/web-apps/current-work/#setrequestheader
<X>
> I'm not sure why we disallow normal headers at all.
<X>
> Would it be better if the spec just stated what headers could be 
> overridden or appended to? Basically we would have three categories: 
> untouchable, override and append (depending on whether the header 
> value can be a comma-separated list or not).

Here is a proposed replacement section (replacing the text from "User 
agents must not set any headers other than.." to the send method 
section.)

Editorial changes:
* Added many more headers - particularly disallowed ones
* Do not blanket disallow UAs from sending headers (but still mention 
cache-control specifically)
* I didn't see any reason for disallowing Accept-* headers, so I put 
them in the "append values to these" category. Nobody replied when I 
asked about this back in June.
* Added a statement about caching proxy behaviour (this came out of 
our discussion on whether UAs should report status 304 as 200)
* Added a list of headers that the UA can interpret OR pass on to the 
server according to caching proxy logic. I don't know if this is a 
complete list, since I haven't read that part of the HTTP spec 
recently.

HTML below, hopefully ready for the spec - feedback welcome!


     <p>The user agent may send any of these headers but must not 
allow the script to set any of them:</p>

    <ul>
        <li>Allow </li>
        <li>Allowed </li>
        <li>Connection </li>
        <li>Content-Length </li>
        <li>Content-Location </li>
        <li>Content-Range </li>
        <li>Host </li>
        <li>Keep-alive</li>
        <li>Max-Forwards </li>
        <li>Proxy-Authorization </li>
        <li>Public </li>
        <li>Referer</li>
        <li>TE </li>
        <li>Trailer </li>
        <li>Transfer-Encoding </li>
        <li>Upgrade </li>
        <li>URI </li>
        <li>Vary </li>
        <li>Via </li>
        <li>Warning </li>
        <li>WWW-Authenticate </li>
    </ul>

    <p>The User Agent may send any of these  headers. Values set by 
the script must be concatenated with the UA's value after a comma and 
a space.</p>
    
    <ul>
      <li>Accept-Charset</li>
      <li>Accept-Encoding</li>
      <li>Accept-Language</li>
      <li>Authorization</li>
      <li>Cookie</li>
      <li>Cookie2</li>
      <li>User-Agent</li>
    </ul>
    
    <p>The User Agent must not automatically send the following 
headers:</p>

    <ul>
        <li>Cache-Control</li>
        <li>Pragma</li>
    </ul>

     
     <p>User Agents must interpret any cache-related headers set by 
the script according to HTTP's rules for caching proxies. <a 
href="#refsHTTP">[HTTP]</a>. This includes the following headers, 
which after being processed by the UA may or may not be sent to the 
server:</p>
     
     <ul>
        <li>If-Modified-Since</li>
    <li>If-None-Match</li>
    <li>If-Range</li>
    <li>Range </li>
     </ul>


-- 
Hallvord Reiar Michaelsen Steen
http://www.hallvord.com/

Received on Wednesday, 25 January 2006 03:44:05 UTC