- From: John Panzer <jpanzer@acm.org>
- Date: Wed, 13 Feb 2008 21:59:29 -0800
- To: Anne van Kesteren <annevk@opera.com>
- CC: Ian Hickson <ian@hixie.ch>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > On Thu, 14 Feb 2008 00:36:05 +0100, Ian Hickson <ian@hixie.ch> wrote: >> On Wed, 13 Feb 2008, John Panzer wrote: >>> Some of today's APIs like Flickr put authorization evidence into URL >>> query parameters for CSR. It's mildly bad to do this because such >>> things are more likely to get logged and sniffed than headers, and you >>> can't separate the resource URL from the authorization proof being >>> presented to use it, which would be useful in caching. >> >> Also agreed. That's one of the reasons that XMLHttpRequest + Access >> Control together let you set arbitrary extension headers. > > This is currently not the case for XMLHttpRequest level 2. Based on > feedback from Mozilla only Accept and Accept-Language can be set for > cross-site requests. (Aside: Surely Content-Type is allowed as well?) This rules out the use of AtomPub's (RFC5023) If-Match: header on PUT for optimistic concurrency control, and the Slug: header[1] on POSTs for suggesting the URI to mint. The first is especially troublesome. It also eliminates the ability to do cache control (except crudely by salting the URL, which of course fills up caches with dead data). It makes it impossible to use the common X-Method-Override work-around for intermediaries which don't support things other than GET and POST. It prevents the use of the Range: header to get a subset of a resource. And of course it prevents the use of any custom X- header for any purpose. -John [1] http://tools.ietf.org/html/rfc5023#section-9.7
Received on Thursday, 14 February 2008 05:56:02 UTC