W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: [XHR2] Feedback on sec-* headers

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 22 Feb 2011 13:28:00 +1100
Cc: public-webapps@w3.org
Message-Id: <1F3C9ED3-4B76-49C5-A027-5D6D516ACE90@mnot.net>
To: Adam Barth <w3c@adambarth.com>

On 22/02/2011, at 1:08 PM, Adam Barth wrote:

> I'm not sure I understand how this would work.  Let's take the example
> of Sec-WebSocket-Key.  When would the user agent send XHR2-Secure:
> Sec-WebSocket-Key ?

Ah, I see; you want to dynamically prohibit the client sending a header, rather than declare what headers the client didn't allow modification of.

A separate header won't help you, no.  

The problems I brought up still stand, however. I think we need to have a discussion about how much convenience the implementers really need here, and also to look at the impact on the registration procedure for HTTP headers.


Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 22 February 2011 02:28:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC