Hi Mark - thanks for the comments. See below:|
On 5/10/12 1:23 AM, Mark Thomas wrote:
" type="cite">OK, I've added this into the initial discussion for now. I'm hoping that containers will provide their own mechanisms for verifying Origin headers and not leave it all up to developers ! Perhaps we require containers to support the verification and allow developers to configure it, I'm not sure.On 10/05/2012 01:13, Danny Coward wrote:Origin header - mostly 'plumbing': client implementation may or may not provide, server implementation may or may not check. App developer might care to know if the server's policy is to check clients declared name or not ?I view this as a per endpoint decision, not a server wide one. By default the server accepts everything and it is up to the endpoint to be more selective if it wishes.
" type="cite">I have left this out of the API for now, because I'm not sure yet.Sec-WebSocket-Protocol - 'application specific': particular client apps will want to declare an ordered list of preferred subprotocols, a particular server app will want to respond with a single preferred subprotocol it will support for a given client based on its declared subprotocol list.+1Sec-WebSocket-Extensions - similar responsibilities as above, except the server-side applications respond with a list of extensions.+1(Sidebar: what extensions are people here seeing used ?)Nothing yet, but it is early days for the Tomcat WebSocket implementation.
" type="cite">OK. Well, its always a safe bet to hand them everything in case they need it all :) But I'd like to build a list of what they might need before we expose everything - so do keep us posted if specific use cases come up.Any other Request headers that either specific client applications or specific server applications are making use of that you know ?Nothing as yet but we did have a general discussion about applications perhaps wanting access to the request during the upgrade process and came to the conclusion that providing a read-only copy of the HTTP headers would be sufficient although we held off implementing it until someone asked for it (they haven't yet).
[jsr356-experts] Re: Question on Handshake / Headers