Re: CSR and Mozilla - Clarifying HTTP Header Filtering

Mark:

Thanks for sharing the thread. The approach makes sense to me. What
was the final result?

MikeA

On Feb 19, 2008 9:33 AM, Mark Baker <distobj@acm.org> wrote:
> On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote:
> > On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <distobj@acm.org> wrote:
> > > On 2/18/08, mike amundsen <mamund@yahoo.com> wrote:
> > >>
> > >> John makes a good point.
> > >>
> > >> There are a number of 'non-spec' HTTP Headers in use that should not
> > >> be pre-empted. Some Atom servers support the X-WSSE header[1] is
> > >> another one. Trying to come up with a list of allowed headers is
> > >> really the wrong way to go.
> > >>
> > >> I suggest someone try to make the opposite case - a header that should
> > >> not be allowed.
> > >
> > > Been there, done that;
> > >
> > > http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html
> >
> > No, these are completely different cases. What you're referring to is ok
> > for same-origin requests and is what the same-origin requests still allow.
> > Non same-origin requests probably require a different policy though.
>
> I think it's the same case.  The issue in both cases is that the
> script should always be subordinate to the user agent whose job it is
> to ensure that the messages it sends are valid HTTP messages that
> don't misrepresent either the user or its own capabilities.
>
> Mark.
> --
> Mark Baker.  Ottawa, Ontario, CANADA.         http://www.markbaker.ca
> Coactus; Web-inspired integration strategies  http://www.coactus.com
>



-- 
mca
http://amundsen.com/blog/

Received on Tuesday, 19 February 2008 15:21:49 UTC