- From: Hallvord Reiar Michaelsen Steen <hallvord@hallvord.com>
- Date: Wed, 25 Jan 2006 20:44:05 +0900
Replying to myself...
On 20 Jun 2005 at 15:52, Hallvord Reiar Michaelsen Ste wrote:
> Commenting on
> http://www.whatwg.org/specs/web-apps/current-work/#setrequestheader
<X>
> I'm not sure why we disallow normal headers at all.
<X>
> Would it be better if the spec just stated what headers could be
> overridden or appended to? Basically we would have three categories:
> untouchable, override and append (depending on whether the header
> value can be a comma-separated list or not).
Here is a proposed replacement section (replacing the text from "User
agents must not set any headers other than.." to the send method
section.)
Editorial changes:
* Added many more headers - particularly disallowed ones
* Do not blanket disallow UAs from sending headers (but still mention
cache-control specifically)
* I didn't see any reason for disallowing Accept-* headers, so I put
them in the "append values to these" category. Nobody replied when I
asked about this back in June.
* Added a statement about caching proxy behaviour (this came out of
our discussion on whether UAs should report status 304 as 200)
* Added a list of headers that the UA can interpret OR pass on to the
server according to caching proxy logic. I don't know if this is a
complete list, since I haven't read that part of the HTTP spec
recently.
HTML below, hopefully ready for the spec - feedback welcome!
<p>The user agent may send any of these headers but must not
allow the script to set any of them:</p>
<ul>
<li>Allow </li>
<li>Allowed </li>
<li>Connection </li>
<li>Content-Length </li>
<li>Content-Location </li>
<li>Content-Range </li>
<li>Host </li>
<li>Keep-alive</li>
<li>Max-Forwards </li>
<li>Proxy-Authorization </li>
<li>Public </li>
<li>Referer</li>
<li>TE </li>
<li>Trailer </li>
<li>Transfer-Encoding </li>
<li>Upgrade </li>
<li>URI </li>
<li>Vary </li>
<li>Via </li>
<li>Warning </li>
<li>WWW-Authenticate </li>
</ul>
<p>The User Agent may send any of these headers. Values set by
the script must be concatenated with the UA's value after a comma and
a space.</p>
<ul>
<li>Accept-Charset</li>
<li>Accept-Encoding</li>
<li>Accept-Language</li>
<li>Authorization</li>
<li>Cookie</li>
<li>Cookie2</li>
<li>User-Agent</li>
</ul>
<p>The User Agent must not automatically send the following
headers:</p>
<ul>
<li>Cache-Control</li>
<li>Pragma</li>
</ul>
<p>User Agents must interpret any cache-related headers set by
the script according to HTTP's rules for caching proxies. <a
href="#refsHTTP">[HTTP]</a>. This includes the following headers,
which after being processed by the UA may or may not be sent to the
server:</p>
<ul>
<li>If-Modified-Since</li>
<li>If-None-Match</li>
<li>If-Range</li>
<li>Range </li>
</ul>
--
Hallvord Reiar Michaelsen Steen
http://www.hallvord.com/
Received on Wednesday, 25 January 2006 03:44:05 UTC