Julian Reschke wrote:
Jonas Sicking wrote:
The XHR spec currently allows users to set the "Proxy-Connection"
header using setRequestHeader method. I couldn't find a spec for it
other than some discussions here:
...
As far as I can tell, the spec doesn't even mention the header.
Are you saying the spec should disallow setting a header that isn't even
registered (<http://www.iana.org/assignments/message-headers/>)?
Yes, if it's a security problem not to. IMHO that should be the
determining factor.
Actually, I'm wondering if we should disallow any header starting with
"Proxy-". For example Proxy-Authorization header looks scary to me.
/ Jonas
