https://issues.apache.org/bugzilla/show_bug.cgi?id=51181
--- Comment #37 from Mark Thomas <ma...@apache.org> 2012-02-16 22:35:46 UTC --- I can see the possible requirement for access to the request headers when verifying the origin (and a few other processes). However, I'm leaning towards not implementing that now and adding it later if there is a demand for it. If we go that route I do think we just need prevent access to the request since the problems that would start if a reference to the request is retained are not pretty. I'd probably just wrap the request in a facade that exposed the headers in read-only form and nothing else. I'm now looking at the sub-protocol parts. The good news is that protocol names are token which makes parsing them simple (the approach used in the patch is fine - just not the way I would have done it). However, my reading of the specification is slightly different from the patch as implemented. There are two differences: a) I see no requirement for the server to respect the clients preference order for sub-protocols. Therefore, we need to pass the complete list of requested sub-protocols to the user servlet for it to pick one b) The server is free to not select one of the sub-protocols. This is not an error state. Hopefully, I'll add the protocol handling stuff later this evening. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org