- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Mon, 1 May 2006 15:13:48 -0700
- To: "Web APIs WG (public)" <public-webapi@w3.org>
This is actually split across send and setRequestHeader; * send() If the UA allows the specification of a proxy, it should modify the request appropriately; i.e., connect to the proxy host instead of the origin server, modify the Request-Line and send Proxy-Authorization headers as specified. If the UA supports HTTP Authentication [RFC2617], it should consider XHR calls to be part of the protection space that includes the accessed URIs, and send Authorization headers and handle 401 Unauthorised requests appropriately. if authentication fails, UAs should prompt the users for credentials. If the UA supports HTTP State Mangement [RFC2109 RFC2965], it should persist, discard and send cookies (as received in the Set-Cookie and Set-Cookie2 response headers, and sent in the Cookie header) as applicable. If the UA implements a HTTP cache [RFC2616], it should respect Cache- Control request headers set by the author (e.g., "Cache-Control: no- cache" bypasses the cache). It must not send Cache-Control or Pragma request headers automatically unless the user explicitly requests such behaviour (e.g., by force-reloading the page). 304 Not Modified responses that are a result of a UA-generated conditional request must be presented as 200 OK responses with the appropriate content. Such UAs must allow authors to override automatic cache validation by setting request headers (e.g., If-None-Match, If-Modified-Since), in which case 304 Not Modified responses must be passed through. If the UA implements server-driven content-negotiation [RFC2616], it should set Accept-Language, Accept-Encoding and Accept-Charset headers as appropriate; it must not automatically set the Accept header. Responses to such requests must have content-codings automatically removed. * setRequestHeader() The nominated request header field value must be set to value, with the following exceptions; 1) Nothing must be done if the header or value arguments contain any U +000A LINE FEED or U+000D CARRIAGE RETURN characters, or if the header argument contains any U+0020 SPACE or U+003A COLON charecters. 2) UAs must not allow the following headers to be set by authors: Accept-Charset, Accept-Encoding, Content-Length, Connection, Date, Host, Keep-Alive, Referer, TE, Trailer, Transfer-Encoding Implementations must replace any existing value if the nominated request header field value is one of: Authorization, Content-Base, Content-Location, Content-MD5, Content-Range, Content-Type, Content-Version, Delta-Base, Depth, Destinaion, ETag, Expect, From, If-Modified-Since, If-Range, If- Unmodified-Since, Max-Forwards, MIME-Version, Overwrite, Proxy- Authorization, SOAPAction, Timeout Otherwise, if the nominated request header field already has a value, the new value must be combined with the existing value, as specified by [RFC2616 Section 4.2]. -- Mark Nottingham mnot@yahoo-inc.com
Received on Monday, 1 May 2006 22:15:12 UTC