This is actually split across send and setRequestHeader;
* send()
If the UA allows the specification of a proxy, it should modify the
request appropriately; i.e., connect to the proxy host instead of the
origin server, modify the Request-Line and send Proxy-Authorization
headers as specified.
If the UA supports HTTP Authentication [RFC2617], it should consider
XHR calls to be part of the protection space that includes the
accessed URIs, and send Authorization headers and handle 401
Unauthorised requests appropriately. if authentication fails, UAs
should prompt the users for credentials.
If the UA supports HTTP State Mangement [RFC2109 RFC2965], it should
persist, discard and send cookies (as received in the Set-Cookie and
Set-Cookie2 response headers, and sent in the Cookie header) as
applicable.
If the UA implements a HTTP cache [RFC2616], it should respect Cache-
Control request headers set by the author (e.g., "Cache-Control: no-
cache" bypasses the cache). It must not send Cache-Control or Pragma
request headers automatically unless the user explicitly requests
such behaviour (e.g., by force-reloading the page). 304 Not Modified
responses that are a result of a UA-generated conditional request
must be presented as 200 OK responses with the appropriate content.
Such UAs must allow authors to override automatic cache validation by
setting request headers (e.g., If-None-Match, If-Modified-Since), in
which case 304 Not Modified responses must be passed through.
If the UA implements server-driven content-negotiation [RFC2616], it
should set Accept-Language, Accept-Encoding and Accept-Charset
headers as appropriate; it must not automatically set the Accept
header. Responses to such requests must have content-codings
automatically removed.
* setRequestHeader()
The nominated request header field value must be set to value, with
the following exceptions;
1) Nothing must be done if the header or value arguments contain any U
+000A LINE FEED or U+000D CARRIAGE RETURN characters, or if the
header argument contains any U+0020 SPACE or U+003A COLON charecters.
2) UAs must not allow the following headers to be set by authors:
Accept-Charset, Accept-Encoding, Content-Length, Connection, Date,
Host, Keep-Alive, Referer, TE, Trailer, Transfer-Encoding
Implementations must replace any existing value if the nominated
request header field value is one of:
Authorization, Content-Base, Content-Location, Content-MD5,
Content-Range, Content-Type, Content-Version, Delta-Base, Depth,
Destinaion, ETag, Expect, From, If-Modified-Since, If-Range, If-
Unmodified-Since, Max-Forwards, MIME-Version, Overwrite, Proxy-
Authorization, SOAPAction, Timeout
Otherwise, if the nominated request header field already has a value,
the new value must be combined with the existing value, as specified
by [RFC2616 Section 4.2].
--
Mark Nottingham
[EMAIL PROTECTED]
