Jonas Sicking wrote:
...
Yes, if it's a security problem not to. IMHO that should be the
determining factor.
Actually, I'm wondering if we should disallow any header starting with
"Proxy-". For example Proxy-Authorization header looks scary to me.
...
Well, this is yet another case where the theory of spec writing and
practice aren't aligned :-)
I'd prefer the spec not to state normative requirements with respect to
headers that don't even have a spec. So optimally, write down what you
think the header does, and get it registered in the provisional IANA
registry.
Best regards, Julian