Re: [hybi] Comments about draft-13
Bjoern Hoehrmann <derhoermi@gmx.net> Wed, 07 September 2011 01:43 UTC
Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F8521F8E31 for <hybi@ietfa.amsl.com>; Tue, 6 Sep 2011 18:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.866
X-Spam-Level:
X-Spam-Status: No, score=-3.866 tagged_above=-999 required=5 tests=[AWL=-1.267, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyIQt-pt-X9n for <hybi@ietfa.amsl.com>; Tue, 6 Sep 2011 18:43:50 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 0744621F8E27 for <hybi@ietf.org>; Tue, 6 Sep 2011 18:43:48 -0700 (PDT)
Received: (qmail invoked by alias); 07 Sep 2011 01:45:34 -0000
Received: from dslb-094-222-137-018.pools.arcor-ip.net (EHLO HIVE) [94.222.137.18] by mail.gmx.net (mp067) with SMTP; 07 Sep 2011 03:45:34 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1/UsL1RNXLUjA8aLWJ/UT5SwjZt8h7/yoXr0+pkEx OTcpiurQJaevIE
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Date: Wed, 07 Sep 2011 03:45:42 +0200
Message-ID: <f1id67156por0t8jdbgd8gg6hdur55fad3@hive.bjoern.hoehrmann.de>
References: <CALiegfkUMDfuRC+16ZcLo__2OqAcQ1UVDGa_610ykEAe6yZViw@mail.gmail.com> <CALiegf=wO6w5UMLO-hsn8o0cX3__SuxMDrgqvScuS6QWdNhptw@mail.gmail.com> <A59BAA80-CD38-48C4-A113-C1493072D079@bbn.com> <4E669025.8080804@isode.com> <F9EE9C7A-79FB-44E3-9114-0965D74C5E58@bbn.com>
In-Reply-To: <F9EE9C7A-79FB-44E3-9114-0965D74C5E58@bbn.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi@ietf.org
Subject: Re: [hybi] Comments about draft-13
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 01:43:50 -0000
* Richard L. Barnes wrote: >I wouldn't have a problem with this had W3C not assigned a semantic to >the field name: >" >[Do not allow a script to set a header] if /header/ is a case-insensitive >match for one of the following headers [...] or if the start of /header/ >is a case-insensitive match for Proxy- or Sec- (including when header is >just Proxy- or Sec-). >" ><http://www.w3.org/TR/XMLHttpRequest/> This is an incorrect reading of the XMLHttpRequest proposal. The idea is that those header values must be controlled by the entity that puts the bits on the wire, not the caller of XMLHttpRequest methods. It could say just aswell that when the XMLHttpRequest caller sets the Content-Length header, the implementation must override or remove the value when making the request, as would be appropriate for the request. "A script" can of course control the value of the header by sending so and so many bytes (provided the length is indicated by the browser using the header). And that is just XMLHttpRequest anyway, not the Websocket API. Turning this around, you are saying that XMLHttpRequest callers should be able to set the Websocket header on ordinary HTTP requests despite them having no meaning there. Back in the day I argued to explain this in the terms above, and the proposal does say "Note: The above headers are controlled by the user agent to let it control those aspects of transport. This guarantees data integrity to some extent. Header names starting with Sec- are not allowed to be set to allow new headers to be minted that are guaranteed not to come from XMLHttpRequest." at least. "A script" is different from "not from XMLHttpRequest", so I am unclear on where the confusion comes from. That it is XMLHttpRequest that makes such conventions is a problem; I expect that the httpbis Working Group <http://lists.w3.org/Archives/Public/ietf-http-wg/2011JanMar/0160.html> where I raised it will resolve this in one form or another eventually. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
- [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Alexey Melnikov
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Richard L. Barnes
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Richard L. Barnes
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Richard L. Barnes
- Re: [hybi] Comments about draft-13 Philipp Serafin
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Philipp Serafin
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Alexey Melnikov
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Richard L. Barnes
- Re: [hybi] Comments about draft-13 Alexey Melnikov
- Re: [hybi] Comments about draft-13 Richard L. Barnes
- Re: [hybi] Comments about draft-13 Greg Wilkins
- Re: [hybi] Comments about draft-13 Bjoern Hoehrmann
- Re: [hybi] Comments about draft-13 Alexey Melnikov
- Re: [hybi] Comments about draft-13 Greg Wilkins
- Re: [hybi] Comments about draft-13 John Tamplin
- Re: [hybi] Comments about draft-13 Greg Wilkins
- Re: [hybi] Comments about draft-13 John Tamplin
- Re: [hybi] Comments about draft-13 Greg Wilkins
- Re: [hybi] Comments about draft-13 John Tamplin
- Re: [hybi] Comments about draft-13 Greg Wilkins
- Re: [hybi] Comments about draft-13 Bjoern Hoehrmann
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Iñaki Baz Castillo
- Re: [hybi] Comments about draft-13 Greg Wilkins
- Re: [hybi] Comments about draft-13 Joonas Lehtolahti
- Re: [hybi] Comments about draft-13 Peter Saint-Andre