Morgan L wrote:
Hi, I'm writing about what appears to be an error in
the XHR TR.
In section 2 of http://www.w3.org/TR/XMLHttpRequest/,
it says that setRequestHeader should reject the
connection header.
However, there are web apps in existence (e.g., Gmail)
that set the "connection: close" header to inform the
user-agent that the HTTP transaction is going to take
a long time. (This is also informative for the
server.) This allows a user-agent to not count this
connection against the RFC 2616 recommended maximum of
2 persistent connections per host.
So, it seems to me that the arguments
setRequestHeader("connection", "close") should be
allowed.
More details in this WebKit bug:
http://bugs.webkit.org/show_bug.cgi?id=17682
It looks like recent versions of WebKit and Gecko
block the "connection" request header per this TR.
However, Firefox 2 does not.
We do block, but not because of this TR. IIRC there are security issues
with other values for connection, though I don't specifically remember
what they are. However setting something like "connection: keep-alive"
when the browser is not expecting that could have bad effects on other
connections to that server.
/ Jonas
