- From: Sullivan, Bryan <BS3131@att.com>
- Date: Tue, 18 Mar 2008 07:30:57 -0700
- To: "Francois Daoust" <fd@w3.org>, "Martin Jones" <martinj@volantis.com>
- Cc: <public-bpwg-ct@w3.org>
Francois, I think there is no difference because you used a Firefox+javascript environment, and the headers are the same as for Firefox natively (i.e. not via XHR) unless you have some means to modify the headers as part of your javascript. The best practice that comes out of this is that applications that do not expect to operate as "browsers" and that will not benefit from CT should identify themselves uniquely through the user-agent header. They can provide a complete distinct user-agent header or add extra info to the base user-agent header (if they have an API to do so provided by their runtime environment) and any adept CT/server implementation should be capable of identifying them thus as a browser or not. This is the only way I know of that does not rely upon a new technology/header. Best regards, Bryan Sullivan | AT&T -----Original Message----- From: public-bpwg-ct-request@w3.org [mailto:public-bpwg-ct-request@w3.org] On Behalf Of Francois Daoust Sent: Tuesday, March 18, 2008 3:33 AM To: Martin Jones Cc: public-bpwg-ct@w3.org Subject: Re: ACTION-679: Propose text for para 2 of 3.1.1 Thanks, Martin, I'll add this to today's agenda. Martin Jones wrote: > Proposed text: Irrespective of the presence of the no-transform > directive, the proxy must behave transparently (q.v.) unless it is able > to determine positively that the user agent is a browser. The > mechanism by which the proxy recognizes the user agent as a browser > should use evidence from the HTTP request, in particular the > user-agent and accept headers. I made a simple test this morning: 1. I created a "test.html" web page. It only contains a few lines of Javascript code to send an HTTP GET request to "xhrtest.html" using an XmlHttpRequest object: http://www.w3.org/2008/03/xhr-ua-test/test.html 2. I requested "test.html" from Firefox, and watched the HTTP headers being exchanged. The result is that (apart from the Referer header that is present in the XHR request but that cannot be used to say that the request is not from the browser itself), the headers in the request to "test.html" are exactly the same as the ones to "xhrtest.html". In short, there's absolutely no way to tell the difference between an HTTP request that is sent by the browser and one that is sent by an XHR object, for which we would like the CT-proxy to behave transparently. Am I missing something? What should we say? Below is the trace of the HTTP headers for both requests: ---------------------------------------------------------- http://www.w3.org/2008/03/xhr-ua-test/test.html GET /2008/03/xhr-ua-test/test.html HTTP/1.1 Host: www.w3.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: cookieb2evosession=16753213_7K8PV32mWeR6BrLMHqhMbdiFCx7WJtzV Authorization: Basic ZmQ6QmFja3RvMUE= Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Date: Tue, 18 Mar 2008 10:25:21 GMT Server: Apache/2 Last-Modified: Tue, 18 Mar 2008 10:23:14 GMT Etag: "629-448b38628a880" Accept-Ranges: bytes Content-Length: 1577 Cache-Control: max-age=21600 Expires: Tue, 18 Mar 2008 16:25:21 GMT P3P: policyref="http://www.w3.org/2001/05/P3P/p3p.xml" Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 ---------------------------------------------------------- http://www.w3.org/2008/03/xhr-ua-test/xhrtest.html GET /2008/03/xhr-ua-test/xhrtest.html HTTP/1.1 Host: www.w3.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.w3.org/2008/03/xhr-ua-test/test.html Cookie: cookieb2evosession=16753213_7K8PV32mWeR6BrLMHqhMbdiFCx7WJtzV Authorization: Basic ZmQ6QmFja3RvMUE= Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Date: Tue, 18 Mar 2008 10:25:21 GMT Server: Apache/2 Last-Modified: Tue, 18 Mar 2008 10:23:14 GMT Etag: "1e0-448b38628a880" Accept-Ranges: bytes Content-Length: 480 Cache-Control: max-age=21600 Expires: Tue, 18 Mar 2008 16:25:21 GMT P3P: policyref="http://www.w3.org/2001/05/P3P/p3p.xml" Keep-Alive: timeout=2, max=99 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 ---------------------------------------------------------- François.
Received on Tuesday, 18 March 2008 14:33:02 UTC