On Mon, Feb 21, 2011 at 6:28 PM, Mark Nottingham <[email protected]> wrote: > On 22/02/2011, at 1:08 PM, Adam Barth wrote: >> I'm not sure I understand how this would work. Let's take the example >> of Sec-WebSocket-Key. When would the user agent send XHR2-Secure: >> Sec-WebSocket-Key ? > > > Ah, I see; you want to dynamically prohibit the client sending a header, > rather than declare what headers the client didn't allow modification of. > > A separate header won't help you, no. > > The problems I brought up still stand, however. I think we need to have a > discussion about how much convenience the implementers really need here, and > also to look at the impact on the registration procedure for HTTP headers.
The Sec- behavior has only been implemented for a few years at this point. If there was another solution that worked better, we could likely adopt it. I couldn't think of one at the time, but other folks might have more clever ideas. Adam
