There's a new proposal for this:
http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0219.html
I think it addresses your concerns.
This looks good. It does seem to imply that other request headers may be
considered for inclusion in the whitelist. Therefore, I would like to
suggest the following additional headers be permitted in the standard
whitelist of request headers:
Expect - A basic HTTP header that can be useful for checking request before
sending a full request
From - This can be voluntarily provided by user agents to identify who the
user is
Range - To request a partial subset of a resource (with Atom Publishing
Protocol this is becoming increasingly useful)
XSite-* - I believe we should have a subdomain of allowed custom headers,
that both server and client will be mutually aware will not be filtered in
cross site requests.
I don't believe any of these headers represents a security threat.
No such optimization has been discussion and I'm not sure we should add
it. If this indeed becomes a common pattern we can always optimize later.
(Premature optimization and all...)
That sounds reasonable.
BTW, I am very excited about this specification, this is really going to
open up some exciting possibilities. Good work,
Thanks,
Kris
