[whatwg] headers for XMLHttpRequests

Hallvord Reiar Michaelsen Steen hallvord at hallvord.com
Wed Jan 25 03:44:05 PST 2006

Replying to myself...

On 20 Jun 2005 at 15:52, Hallvord Reiar Michaelsen Ste wrote:

> Commenting on 
> http://www.whatwg.org/specs/web-apps/current-work/#setrequestheader
> I'm not sure why we disallow normal headers at all.
> Would it be better if the spec just stated what headers could be 
> overridden or appended to? Basically we would have three categories: 
> untouchable, override and append (depending on whether the header 
> value can be a comma-separated list or not).

Here is a proposed replacement section (replacing the text from "User 
agents must not set any headers other than.." to the send method 

Editorial changes:
* Added many more headers - particularly disallowed ones
* Do not blanket disallow UAs from sending headers (but still mention 
cache-control specifically)
* I didn't see any reason for disallowing Accept-* headers, so I put 
them in the "append values to these" category. Nobody replied when I 
asked about this back in June.
* Added a statement about caching proxy behaviour (this came out of 
our discussion on whether UAs should report status 304 as 200)
* Added a list of headers that the UA can interpret OR pass on to the 
server according to caching proxy logic. I don't know if this is a 
complete list, since I haven't read that part of the HTTP spec 

HTML below, hopefully ready for the spec - feedback welcome!

     <p>The user agent may send any of these headers but must not 
allow the script to set any of them:</p>

        <li>Allow </li>
        <li>Allowed </li>
        <li>Connection </li>
        <li>Content-Length </li>
        <li>Content-Location </li>
        <li>Content-Range </li>
        <li>Host </li>
        <li>Max-Forwards </li>
        <li>Proxy-Authorization </li>
        <li>Public </li>
        <li>TE </li>
        <li>Trailer </li>
        <li>Transfer-Encoding </li>
        <li>Upgrade </li>
        <li>URI </li>
        <li>Vary </li>
        <li>Via </li>
        <li>Warning </li>
        <li>WWW-Authenticate </li>

    <p>The User Agent may send any of these  headers. Values set by 
the script must be concatenated with the UA's value after a comma and 
a space.</p>
    <p>The User Agent must not automatically send the following 


     <p>User Agents must interpret any cache-related headers set by 
the script according to HTTP's rules for caching proxies. <a 
href="#refsHTTP">[HTTP]</a>. This includes the following headers, 
which after being processed by the UA may or may not be sent to the 
    <li>Range </li>

Hallvord Reiar Michaelsen Steen

More information about the whatwg mailing list