Updated: 2008-02-25 (mca)
When dealing with Cross-Site Requests (CSRs), the following needs to be considered for handling HTTP Headers:
For example, consider the case of handling the cookie and set-cookie headers.
In the least restrictive case, clients can recieve the set-cookie header from servers. They
can also send the cookie header back to the server. Clients also allow script authors to
edit the contents of the cookie header directly:
// via header
XMLHttpRequest.setRequestHeader('cookie','mysecret=12345;');
// via the cookie object
document.cookie = 'mysecret=12345; expires=Thu, 2 Aug 2009 15:30:00 UTC; path=/'
In a more restrictive case, the set-cookie and cookie headers would be allowed, but
script authors could not change the content of the cookie header. The client could only read cookie
values from the header, but not write them. In the most restrictive case, clients could not even receive the
cookie or set-cookie headers from the server or send the cookie header
to the server.
Finally, there is the matter of how to handle attempts to 'break the rules.' One possibility is to ignore the attempt.
For example, in the case where cookies can be read but not written, the client could just silently ignore attempts to write
a cookie value. Or the client could throw an error and stop the processing of the request. For example, if the server sends
a set-cookie command to the client, a SECURITY_ERR would be thrown.
Examples of HTTP Headers that the XMLHttpRequest client can recieve, but not edit are Content-Length and
Date.
RequestRFC2616SendRecvEdit
Used to tell the server what media type(s) are preferred by the client.
Used to tell the server what character sets are preferred by the client.
Used to tell the server the encodings preferred by the client.
RequestRFC2616SendRecvEdit
Used to tell the server which natural languages are preferred by the client.
ResponseRFC2616Recv
Used by the server to indicate it is capable of supporting the Accept-Range header form the client. can be set to bytes or none.
ResponseRFC2616Recv
Indicates the server estimatation of the age (in seconds) of the requested resource.
EntityRFC2616Recv
Used by the server to indicate which HTTP Methods are supported for this URI. Usually in response to a GET to the target URI using the OPTIONS method.
ResponseRFC2616Recv
Sent by the server as the final step in the Digest authentication conversation with the client.
RequestRFC2616SendEdit
The security token that represents the authenticated client.
GeneralRFC2616SendRecvEdit
Used to control caching behavior. The value of this header depends on whether it is sent in a request (by the client) or in a response (by the server).
Used to manage the connection type. Can be Keep-Alive or Close. Also possible: Upgrade.
ResponseRFC2616Recv
Used by the server to suggest the filename the client should use when the client wants to store the resource locally.
Used to indicate any special encoding of the body of the request. Common values are: 1) compress; 2) deflate; and 3) gzip. Clients indicate the encoding preferences using the Accept-Encoding header.
EntityRFC2616Recv
Indicates the language used in the body of the request. Clients indicate the language preferences using the Accept-Language header.
The length of the entity body in bytes.
EntityRFC2616Recv
Used to indicate the URL of the returned resource when it does not match the requested resource.
EntityRFC2616SendRecvEdit
Used to ensure the contents of the message arrived safely. For example, the Server would calculate the MD5 (Message Digest 5) hash of the message body and convert it into Base-64 encoding to create a single string that represents the message body. Upon receipt, the client would do the same and compare the two strings. If they match, the message body arrived without alterations.
EntityRFC2616Recv
Used by a server to indicate it is only returning a portion of the requested resource. Usually in response to the Range request header.
EntityRFC2616SendRecvEdit
Used to indicate the type of resource being transmitted. Usually one of the types maintained by the IANA.
RequestRFC2109SendEdit
A collection of state data passed between server and client. Created by the client in response to the Set-Cookie header (see Response headers).
The date of the request or response.
ResponseRFC2616SendRecvEdit
The server's 'version' value of the resource. Usually a hash of the body of the resource. Used for caching and as a way to validate updates (PUT/POST).
One or more restrictions that the server MUST meet in order to complete the request. This is a Hop-by-Hop header (any proxy MUST return 417 if that proxy cannot meet the request).
EntityRFC2616Recv
Used to indicate the date and time this resource will be considered invalid. Sent by the Server to tell the client the last date/time the resource can be cached locally.
RequestRFC2616SendRecvEdit
The email address of the client user.
Specifies the Internet host and port number of the resource being requested.
RequestRFC2616SendRecvEdit
Client's copy of the server's ETag. Used in caching and to validate the version/copy of the resource. Usually a hash of the resource body. If the value matches the one on the server, the request will be executed by the server.
RequestRFC2616SendEdit
Client's copy of the Date header sent by the server. Used in caching and to validate the version/copy of the resource.
RequestRFC2616SendEdit
Client's copy of the server's ETag. Used in caching and to validate the version/copy of the resource. Usually a hash of the resource body. If the value *does not* match the one on the server, the request will be executed by the server.
RequestRFC2616SendEdit
Used along with the Range Header. Can be a copy of the server's ETag or Date. If this value matches the one on the server, the server *will* send the requested Range of the resource.
RequestRFC2616SendEdit
A copy of the server's Date header. If this value matches the one on the server, the server will execute the request. Usually used to make sure the resource on the server has not changed before the client's POST or PUT action is executed.
Can be used to indicate to both client and server how long the connection can be kept open. Obsoleted in RFC2616.
EntityRFC2616Recv
Used to indicate the date/time the resource was last modified.
ResponseRFC2616Recv
The URI to use to get the most recent copy of the requested resource. Usually used during a 'redirect' action.
RequestRFC2616SendEdit
Used by clients to limit the number of intermediaries (proxies) through which the reqest may be passed. Rarely used, exception for diagnosing proxie issues.
GeneralRFC2616SendRecvEdit
Used to control caching behavior for HTTP 1.0 servers. Can only be set to no-cache.
Same as the WWW-Authenticate header, except sent by proxy/intermediate machines to authenticate against the server.
Same as the Authorization header, but in response to a proxy's Proxy-Authenticate header.
RequestRFC2616SendEdit
Used by the client to tell the server to send just a byte range of the resource on the server.
Used by the client to indicate the current location from which the request is coming.
ResponseRFC2616Recv
Can be used by the server to tell the client to periodically send a GET request back to the server. The same as the htp-equiv="refresh" HTML meta tag.
ResponseRFC2616Recv
Used by the server, during a 503 (Service Unavailable) error, to tell the client how long to wait before trying the request again.
ResponseRFC2616Recv
Identity string for this server.
ResponseRFC2109Recv
Used by the server to tell the client to store some state information to return to the server with subsequent requests.
Transfer encoding indicator. Usually used to indicate the client can support chunked transfers.
GeneralRFC2616SendRecvEditHbHXHRr
Allows sending headers mixed in with the resource body. Used with chunked transfers.
GeneralRFC2616SendRecvEditHbH
Used to indicate details on the transfer of the body. Only one valid value right now: chunked.
Used to try to negotiate a protocol change between client and server.
RequestRFC2616Send
The identity string for this client.
ResponseRFC2616Recv
Instructions to any intermediates/proxies which header(s) to use when determining how to fulfil the request from caches.
Used by proxy/intermediaries to identify themselves in the communication stream. Similar to the Server and User-Agent headers.
GeneralRFC2616Recv
Relays adescriptionitional information, usually sent by the server to the client to indicate problems with the caching.
ResponseRFC2616Recv
Used by the server to indicate the client must first send authentication credentials in order to complete the request.