- From: Martin Jones <martinj@volantis.com>
- Date: Tue, 18 Mar 2008 07:26:55 -0600 (MDT)
- To: "'Francois Daoust'" <fd@w3.org>
- Cc: <public-bpwg-ct@w3.org>
- Message-ID: <AA620651AA5B4CB1829FCE1BDDBEB2CF@volantisuk>
Hi Francois My proposed text is really aimed at preventing requests from non-browsers being modified by the proxy - e.g. ones from media players, Java applications etc, all of which might end up being routed through the same proxy. Here are my thoughts on the AJAX/XHR use case: Firstly, the user-agent is still browser whether or not it is using XHR and I don't think it would be appropriate to prevent proxies modifying these requests at all. In the F2F, Rob mentioned tokenizing URLs so that's at least one case where it could be necessary to modify the request if it comes from a page that was transformed. I think there could be a class of AJAX-aware CT proxies that perform some limited transformations on AJAX pages, such as URL rewriting or fixing up compatibility issues. We must not preclude these kinds of proxies so it may be appropriate for an XHR and even its response to be modified if it is done correctly. In almost every case, XHR requests will come from web pages that have already been through the proxy. If the proxy has transformed the page without being aware that it uses AJAX, the chance of the XHR doing anything useful is quite small whether it is modified or not. I think the document already provides for sufficient control over the transformation of responses (web pages) so nothing extra should be needed here. If the proxy hasn't transformed the page then it is important to ensure that it does not modify the XHR request. Perhaps the guidelines should say that *requests* should only be modified when the proxy can determine positively that they originate from a page which was transformed by it. There are ways to do that, some more invasive than others. We could leave that issue for vendors to resolve. __ Martin. -----Original Message----- From: Francois Daoust [mailto:fd@w3.org] Sent: 18 March 2008 10:33 To: Martin Jones Cc: public-bpwg-ct@w3.org Subject: Re: ACTION-679: Propose text for para 2 of 3.1.1 Thanks, Martin, I'll add this to today's agenda. Martin Jones wrote: > Proposed text: Irrespective of the presence of the no-transform > directive, the proxy must behave transparently (q.v.) unless it is able > to determine positively that the user agent is a browser. The > mechanism by which the proxy recognizes the user agent as a browser > should use evidence from the HTTP request, in particular the user-agent > and accept headers. I made a simple test this morning: 1. I created a "test.html" web page. It only contains a few lines of Javascript code to send an HTTP GET request to "xhrtest.html" using an XmlHttpRequest object: http://www.w3.org/2008/03/xhr-ua-test/test.html 2. I requested "test.html" from Firefox, and watched the HTTP headers being exchanged. The result is that (apart from the Referer header that is present in the XHR request but that cannot be used to say that the request is not from the browser itself), the headers in the request to "test.html" are exactly the same as the ones to "xhrtest.html". In short, there's absolutely no way to tell the difference between an HTTP request that is sent by the browser and one that is sent by an XHR object, for which we would like the CT-proxy to behave transparently. Am I missing something? What should we say? Below is the trace of the HTTP headers for both requests: ---------------------------------------------------------- http://www.w3.org/2008/03/xhr-ua-test/test.html GET /2008/03/xhr-ua-test/test.html HTTP/1.1 Host: www.w3.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain; q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: cookieb2evosession=16753213_7K8PV32mWeR6BrLMHqhMbdiFCx7WJtzV Authorization: Basic ZmQ6QmFja3RvMUE= Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Date: Tue, 18 Mar 2008 10:25:21 GMT Server: Apache/2 Last-Modified: Tue, 18 Mar 2008 10:23:14 GMT Etag: "629-448b38628a880" Accept-Ranges: bytes Content-Length: 1577 Cache-Control: max-age=21600 Expires: Tue, 18 Mar 2008 16:25:21 GMT P3P: policyref="http://www.w3.org/2001/05/P3P/p3p.xml" Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 ---------------------------------------------------------- http://www.w3.org/2008/03/xhr-ua-test/xhrtest.html GET /2008/03/xhr-ua-test/xhrtest.html HTTP/1.1 Host: www.w3.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain; q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.w3.org/2008/03/xhr-ua-test/test.html Cookie: cookieb2evosession=16753213_7K8PV32mWeR6BrLMHqhMbdiFCx7WJtzV Authorization: Basic ZmQ6QmFja3RvMUE= Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Date: Tue, 18 Mar 2008 10:25:21 GMT Server: Apache/2 Last-Modified: Tue, 18 Mar 2008 10:23:14 GMT Etag: "1e0-448b38628a880" Accept-Ranges: bytes Content-Length: 480 Cache-Control: max-age=21600 Expires: Tue, 18 Mar 2008 16:25:21 GMT P3P: policyref="http://www.w3.org/2001/05/P3P/p3p.xml" Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 ---------------------------------------------------------- François.
Received on Tuesday, 18 March 2008 13:27:39 UTC