- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 23 Jul 2007 00:34:54 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Web APIs WG <public-webapi@w3.org>
Julian Reschke wrote: > > Jonas Sicking wrote: >> >> The XHR spec currently allows users to set the "Proxy-Connection" >> header using setRequestHeader method. I couldn't find a spec for it >> other than some discussions here: >> ... > > As far as I can tell, the spec doesn't even mention the header. > > Are you saying the spec should disallow setting a header that isn't even > registered (<http://www.iana.org/assignments/message-headers/>)? Yes, if it's a security problem not to. IMHO that should be the determining factor. Actually, I'm wondering if we should disallow any header starting with "Proxy-". For example Proxy-Authorization header looks scary to me. / Jonas
Received on Monday, 23 July 2007 07:35:34 UTC