- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 8 Jan 2010 13:41:09 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
[[ In particular, the user agent should not add the HTTP headers: User-Agent, Accept, Accept-Language, Accept-Encoding, or Accept-Charset ]] This seems a bit overly constrictive. Maybe we should send "Accept: */*", etc? More generally, I suspect the requirements in Section 3.2 violate various HTTP RFCs. Maybe we should use the term "willful violation" somewhere? [[ If the response to a uniform request is an HTTP redirect, it is handled as specified by [HTTP], whether or not the redirect is itself a uniform response. If the redirect is not a uniform response, the user-agent must still prevent the requesting content from accessing the content of the redirect itself, though a response to a redirected request might be accessible if it is a uniform response. If the response to a uniform request is an HTTP redirect, any redirected request must also be a uniform request. ]] This seems looser than needed. It would be better if the redirect had to be a uniform response also. There's a note in the spec "The HTML <form> element can also follow any redirect, without restriction by the Same Origin Policy", but the <form> element also sends Accept and User-Agent headers. What's the reason for excluding the headers but not requiring redirects to be uniform responses? What happens with Set-Cookie headers included in uniform responses? It seems like we ought to ignore them based on the principle that UMP requests are made from a state store / context that is completely separate from the user agents normal state store / context. Adam
Received on Friday, 8 January 2010 21:42:01 UTC