One more question: the draft doesn't seem to provide any way to generate a uniform request. Are we planning to have another specification for an API for generating these requests?
Adam On Fri, Jan 8, 2010 at 1:41 PM, Adam Barth <[email protected]> wrote: > [[ > In particular, the user agent should not add the HTTP headers: > User-Agent, Accept, Accept-Language, Accept-Encoding, or > Accept-Charset > ]] > > This seems a bit overly constrictive. Maybe we should send "Accept: */*", > etc? > > More generally, I suspect the requirements in Section 3.2 violate > various HTTP RFCs. Maybe we should use the term "willful violation" > somewhere? > > [[ > If the response to a uniform request is an HTTP redirect, it is > handled as specified by [HTTP], whether or not the redirect is itself > a uniform response. If the redirect is not a uniform response, the > user-agent must still prevent the requesting content from accessing > the content of the redirect itself, though a response to a redirected > request might be accessible if it is a uniform response. If the > response to a uniform request is an HTTP redirect, any redirected > request must also be a uniform request. > ]] > > This seems looser than needed. It would be better if the redirect had > to be a uniform response also. There's a note in the spec "The HTML > <form> element can also follow any redirect, without restriction by > the Same Origin Policy", but the <form> element also sends Accept and > User-Agent headers. What's the reason for excluding the headers but > not requiring redirects to be uniform responses? > > What happens with Set-Cookie headers included in uniform responses? > It seems like we ought to ignore them based on the principle that UMP > requests are made from a state store / context that is completely > separate from the user agents normal state store / context. > > Adam >
