Maciej Stachowiak schrieb:
Yes. The problem is the spec saying "...nothing SHOULD be done...". I
think it's better to be explicit what the implementation should do (in
this case, ignore the method call).
I agree that using active voice is better than using passive voice, but
there are no requirements being imposed on the server here (wouldn't
make sense for XMLHttpRequest to do that).
Yep, sorry. I spent so much time specifying server behavior that is
automatically slipped into. So...:
"For security reasons, *an implementation* SHOULD ignore any attempt to
modify any of the headers below (header names being matched
case-insensitively):"
Best regards, Julian
