W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: [XHR2] Feedback on sec-* headers

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 19:55:45 -0800
Message-ID: <AANLkTim6pj4p4owWkw7uCJ-MvmOedp+yXvMFMZ7ynhNL@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: public-webapps@w3.org
On Mon, Feb 21, 2011 at 6:28 PM, Mark Nottingham <mnot@mnot.net> wrote:
> On 22/02/2011, at 1:08 PM, Adam Barth wrote:
>> I'm not sure I understand how this would work.  Let's take the example
>> of Sec-WebSocket-Key.  When would the user agent send XHR2-Secure:
>> Sec-WebSocket-Key ?
> Ah, I see; you want to dynamically prohibit the client sending a header, rather than declare what headers the client didn't allow modification of.
> A separate header won't help you, no.
> The problems I brought up still stand, however. I think we need to have a discussion about how much convenience the implementers really need here, and also to look at the impact on the registration procedure for HTTP headers.

The Sec- behavior has only been implemented for a few years at this
point.  If there was another solution that worked better, we could
likely adopt it.  I couldn't think of one at the time, but other folks
might have more clever ideas.

Received on Tuesday, 22 February 2011 03:56:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC