Expanding setRequestHeader() blacklist (was: Re: XHR LC comments)

On Wed, 14 May 2008 22:45:32 +0200, Ian Hickson <ian@hixie.ch> wrote:
> On Wed, 14 May 2008, Bjoern Hoehrmann wrote:
>>
>> Note that there are more headers on the list than the ones listed above,
>> specifically Proxy-*, Sec-*, and it is unclear how to handle, say, the
>> Cookie and Authorization header.
>
> I think I would lump the Cookie, Cookie2, and Authorization headers in  
> the
> same bucket as, e.g., Host -- these are headers that the UA should be
> setting and not headers that should be under author control.

Agreed, I added these.


> Incidentally, I think I would recommend removing the blacklist from AC,
> since AC has a whitelist. Having both seems pointless.

Access Control for Cross-Site Requests does actually allow arbitrary  
headers in the request, though a preflight request is required if they are  
not in the whitelist. Therefore it is important that the blacklist is  
still there to filter out all headers that should not be allowed even if  
the server agrees. (Arguably this blacklist is not relevant in the  
XMLHttpRequest case because there those headers are filtered at an earlier  
level.)


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 16 May 2008 09:02:13 UTC