- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 07 Mar 2008 15:29:09 -0800
- To: Morgan L <morganl.webkit@yahoo.com>
- CC: public-webapi@w3.org
Morgan L wrote:
> Hi, I'm writing about what appears to be an error in
> the XHR TR.
>
> In section 2 of http://www.w3.org/TR/XMLHttpRequest/,
> it says that setRequestHeader should reject the
> connection header.
>
> However, there are web apps in existence (e.g., Gmail)
> that set the "connection: close" header to inform the
> user-agent that the HTTP transaction is going to take
> a long time. (This is also informative for the
> server.) This allows a user-agent to not count this
> connection against the RFC 2616 recommended maximum of
> 2 persistent connections per host.
>
> So, it seems to me that the arguments
> setRequestHeader("connection", "close") should be
> allowed.
>
> More details in this WebKit bug:
> http://bugs.webkit.org/show_bug.cgi?id=17682
>
> It looks like recent versions of WebKit and Gecko
> block the "connection" request header per this TR.
> However, Firefox 2 does not.
We do block, but not because of this TR. IIRC there are security issues
with other values for connection, though I don't specifically remember
what they are. However setting something like "connection: keep-alive"
when the browser is not expecting that could have bad effects on other
connections to that server.
/ Jonas
Received on Friday, 7 March 2008 23:29:37 UTC