On 4/10/09 9:50 AM, Bil Corry wrote:
http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/c0f1a44e4fb98859#anchor_ffeba39158c82a91
While I do like the idea of an Accept-Header header for
capability-advertising uses, it's not yet implemented. And I fear if it
were implemented, it may encourage adding too many X-headers to the
request ... which is orthogonal to our goal in avoiding a new header for
CSP versioning. There's already tremendous pressure to keep the number
of HTTP headers low. If we were already sending Accept-Header, I'd jump
right on it as a place to put the CSP version, but I don't really think
it's wise to add this new header with only CSP using it for now.
If we advertise the version at all (I'm still on the fence here), I
think maybe putting CSP version into the User-Agent header might be
appropriate, since CSP is technically a capability of the user agent.
http://tools.ietf.org/html/rfc2616#section-14.43
If indeed the UA gets scrubbed by someone concerned about privacy (or a
proxy/firewall/etc), it seems appropriate that this advertisement of a
user-agent's capability (the CSP version) should get scrubbed too.
So the UA string is harder to parse than a header containing only this
version, but the syntax is fairly straightforward in RFC 2616. Also,
I'm not seeing a Flash-Version header, or a header that alone advertises
any other browser capabilities, so unless we want to make a new header
and put *all* advertised capabilities in it, User-Agent seems the best
choice.
Cheers,
Sid
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
