- From: Hallvord Reiar Michaelsen Steen <hallvord@hallvord.com>
- Date: Mon, 20 Jun 2005 15:52:37 +0200
Commenting on http://www.whatwg.org/specs/web-apps/current-work/#setrequestheader > User agents must not set any headers other than the > headers set by the author using this method, with the > following exceptions: That paragraph means it is against the specification to send other headers than those in the list and those set with setRequestHeader with an XMLHttpRequest. Headers like "Accept", "Accept-Language", "Referer" are not mentioned in the list and thus illegal. I'm not sure why we disallow normal headers at all. Accept-Language should be allowed, or do we expect that every app using content-negotiation for language choice looks at navigator.language or something to set the header manually? For form posts, Content-Length is obviously required. I was also surprised that referer is omitted, but I suppose it's pretty useless anyway. If we want the "blanket disallow with exceptions" approach in the spec, are there other headers we should allow? Would it be better if the spec just stated what headers could be overridden or appended to? Basically we would have three categories: untouchable, override and append (depending on whether the header value can be a comma-separated list or not). -- Hallvord Reiar Michaelsen Steen http://www.hallvord.com/
Received on Monday, 20 June 2005 06:52:37 UTC