On May 1, 2006, at 5:45 PM, Mark Nottingham wrote:
3) UAs must not allow the following headers to be set by authors:
Accept-Charset, Accept-Encoding, Content-Length, Date, Host, Keep-
Alive, Referer, TE, Trailer, Transfer-Encoding
[example]
I made a proposal about disallowed headers a while back.
http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0225.html
In my proposal, I suggested disallowing the following, with
justifications given: Connection, Date, Keep-Alive, Trailer, Transfer-
Encoding, Upgrade, Expect, Host, Referer, TE
I also suggested the following are suspicious and maybe should be
banned, but did not include a justification:
Via, Accept-Encoding, From, Max-Forwards, Proxy-Authorization
Combining these lists, your list does not include Connection,
Upgrade, Expect, Via, From, Max-Forwards or Proxy-Authorization. Are
you convinced all those are safe? Do you think my specific
justifications for Connection, Upgrade and Expect were wrong?
Your list also includes Accept-Charset, I think that one could
reasonably either be forbidden or allowed.
I also think the spec should justify why headers are disallowed
rather than just stating it, it seems oddly out of context to just
give an arbitrary list.
Regards,
Maciej
