Re: XHR's setRequestHeader and the Do Not Track (DNT) header

On Wed, May 9, 2012 at 2:38 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Tue, May 8, 2012 at 9:34 PM, Ian Melven <imelven@mozilla.com> wrote:
>> i'd like to propose that the Do Not Track header (see http://www.w3.org/TR/tracking-dnt/#dnt-header-field) "DNT"
>> be added to the list of request headers not allowed to be set via XHR's setRequestHeader method (see
>> http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#the-setrequestheader%28%29-method)
>
> That shouldn't be a problem. I wonder, should we remove the "Sec-"
> handling? That was suggested at some point as we are special casing
> header naming, but it does not appear to be used.

It's used by WebSockets.

> And given that
> updating this magic list is not really a big problem and browsers are
> updated quick enough maybe that is just as well.

Maybe.  Another perspective is that not all browsers are on the
fast-update train yet and folks might want to define headers that
can't be spoofed by them.

Adam

Received on Thursday, 10 May 2012 02:16:48 UTC