A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).

Difference between revisions of "HTTP Fetch Policy"

From WHATWG Wiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 9: Line 9:
* Uppercased (so e.g. geT becomes GET): CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE, and TRACK.
* Uppercased (so e.g. geT becomes GET): CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE, and TRACK.
* Never work: CONNECT, TRACE, and TRACK (subset of the above).
* Never work: CONNECT, TRACE, and TRACK (subset of the above).
* Everything else works within the syntax constraints.


Author headers: Everything but [http://xhr.spec.whatwg.org/#dom-xmlhttprequest-setrequestheader setRequestHeader()] limitations.
Author headers: Everything but [http://xhr.spec.whatwg.org/#dom-xmlhttprequest-setrequestheader setRequestHeader()] limitations.


Headers: Host, Origin, ...
Headers: Host, Origin, ...
Credentials: Cookies and HTTP authentication


Body: No limitations
Body: No limitations
Line 29: Line 32:


Headers: Also Content-Type with value application/json
Headers: Also Content-Type with value application/json
Credentials: none (although the current draft says to include all)


=== WebSocket cross-origin (no preflight) allowance ===
=== WebSocket cross-origin (no preflight) allowance ===


Headers: Also Upgrade: websocket, Connection: Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Protocol, Sec-WebSocket-Version
Headers: Also Upgrade: websocket, Connection: Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Protocol, Sec-WebSocket-Version
Credentials: No HTTP authentication (due to API)


== Response ==
== Response ==

Latest revision as of 19:35, 23 March 2013

This document tries to document the platform's fetching policy for HTTP.

Request

General limitations

Methods:

  • Uppercased (so e.g. geT becomes GET): CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE, and TRACK.
  • Never work: CONNECT, TRACE, and TRACK (subset of the above).
  • Everything else works within the syntax constraints.

Author headers: Everything but setRequestHeader() limitations.

Headers: Host, Origin, ...

Credentials: Cookies and HTTP authentication

Body: No limitations

Additional general cross-origin (no preflight) limitations

Methods: Only GET, HEAD, and POST.

Author headers: Only Accept, Accept-Language, Content-Language, and Content-Type. If Content-Type, value excluding parameters must be application/x-www-form-urlencoded, multipart/form-data, or text/plain.

EventSource cross-origin (no preflight) allowance

Headers: Also Last-Event-ID

CSP cross-origin (no preflight) allowance

Headers: Also Content-Type with value application/json

Credentials: none (although the current draft says to include all)

WebSocket cross-origin (no preflight) allowance

Headers: Also Upgrade: websocket, Connection: Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Protocol, Sec-WebSocket-Version

Credentials: No HTTP authentication (due to API)

Response

...