On 2006/05/02, at 1:33 AM, Maciej Stachowiak wrote:
Combining these lists, your list does not include Connection,
Upgrade, Expect, Via, From, Max-Forwards or Proxy-Authorization.
Are you convinced all those are safe? Do you think my specific
justifications for Connection, Upgrade and Expect were wrong?
WRT Connection: Mark Baker made an argument that someone may design
an extension that is hop-by-hop, and therefore needs to be added to
Connection. Note that the proposal doesn't allow it to be
overwritten; only appended to.
WRT Upgrade: I think you're right.
WRT Expect: I think you're right, but there should also be a section
about E/C handling in send().
WRT From: I don't think any software actually uses this to inform
behaviour; it's just a way to give a more persistent address for the
user.
WRT Max-Forwards: I'm ambivalent about this one. It could be useful
in debugging proxies, etc. and it has pretty well-defined behaviour...
WRT Proxy-Authorization: Authorization is allowed to be overwritten,
so it seems reasonable to allow Proxy-Auth too (although the use case
would indeed be pretty esoteric; I suppose someone doing something
inside the firewall might want to do something here...)
Your list also includes Accept-Charset, I think that one could
reasonably either be forbidden or allowed.
Does DOMString expose the character encoding? I thought it was just a
character abstraction based on Unicode (again, I'm not a DOM expert,
much less an i18n one...)
I also think the spec should justify why headers are disallowed
rather than just stating it, it seems oddly out of context to just
give an arbitrary list.
It was discussed at the F2F yesterday; that might be contributing to
that oddness. I agree there should be justification, but I don't know
that the spec text needs to show the math, so to speak.
I'll send out a revised proposal shortly.
Cheers,
--
Mark Nottingham
[EMAIL PROTECTED]
