- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 9 May 2012 19:15:46 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Ian Melven <imelven@mozilla.com>, public-webapps@w3.org, Sid Stamm <sid@mozilla.com>, Tom Lowenthal <tom@mozilla.com>
On Wed, May 9, 2012 at 2:38 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, May 8, 2012 at 9:34 PM, Ian Melven <imelven@mozilla.com> wrote: >> i'd like to propose that the Do Not Track header (see http://www.w3.org/TR/tracking-dnt/#dnt-header-field) "DNT" >> be added to the list of request headers not allowed to be set via XHR's setRequestHeader method (see >> http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#the-setrequestheader%28%29-method) > > That shouldn't be a problem. I wonder, should we remove the "Sec-" > handling? That was suggested at some point as we are special casing > header naming, but it does not appear to be used. It's used by WebSockets. > And given that > updating this magic list is not really a big problem and browsers are > updated quick enough maybe that is just as well. Maybe. Another perspective is that not all browsers are on the fast-update train yet and folks might want to define headers that can't be spoofed by them. Adam
Received on Thursday, 10 May 2012 02:16:48 UTC