Re: XMLHttpRequest for Last Call from Julian Reschke on 2007-02-13 (public-webapi@w3.org from February 2007)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 13 Feb 2007 16:59:12 +0100
To: Anne van Kesteren <annevk@opera.com>
CC: "Web API WG (public)" <public-webapi@w3.org>, Web API WG <member-webapi@w3.org>
Message-ID: <45D1E050.8000609@gmx.de>

Anne van Kesteren schrieb:
> 
> Hi,
> 
> I suggest we publish 
> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8 
> as Last Call Working Draft by next Monday. If you have any objections 
> please post them to the public list.
> 
> (Please remove the member list on follow-up e-mail.)
> 
> Cheers,

I think the spec needs to be carefully checked for usage of 
RFC2119/BCP14 terminology. For instance 
(<http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8#dfn-setrequestheader>):

"For security reasons nothing SHOULD be done if the header argument 
matches one of the following headers case-insensitively:"

I think I understand what the intent is, but maybe it should be 
rephrased to:

"For security reasons, a server SHOULD ignore any attempt to modify any 
of the headers below (header names being matched case-insensitively):"

Best regards, Julian

Received on Tuesday, 13 February 2007 15:59:12 UTC