A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on IRC (such as one of these permanent autoconfirmed members).

Difference between revisions of "HTTP Fetch Policy"

From WHATWG Wiki
Jump to: navigation, search
(Created page with "This document tries to document the platform's fetching policy for HTTP. == Request == === General limitations === Methods: * Uppercased (so e.g. geT becomes GET): CONNECT...")
 
(add websocket)
Line 10: Line 10:
 
* Never work: CONNECT, TRACE, and TRACK (subset of the above).
 
* Never work: CONNECT, TRACE, and TRACK (subset of the above).
  
Headers: Limitations as per [http://xhr.spec.whatwg.org/#dom-xmlhttprequest-setrequestheader setRequestHeader()].
+
Author headers: Everything but [http://xhr.spec.whatwg.org/#dom-xmlhttprequest-setrequestheader setRequestHeader()].
 +
 
 +
Headers: Host, Origin, ...
  
 
Body: No limitations
 
Body: No limitations
Line 18: Line 20:
 
Methods: Only GET, HEAD, and POST.
 
Methods: Only GET, HEAD, and POST.
  
Headers: Only Accept, Accept-Language, Content-Language, and Content-Type. If Content-Type, value excluding parameters must be application/x-www-form-urlencoded, multipart/form-data, or text/plain.
+
Author headers: Only Accept, Accept-Language, Content-Language, and Content-Type. If Content-Type, value excluding parameters must be application/x-www-form-urlencoded, multipart/form-data, or text/plain.
 +
 
 +
=== EventSource cross-origin (no preflight) allowance ===
 +
 
 +
Headers: Also Last-Event-ID
  
=== EventSource cross-origin (no preflight) allowance(sp?) ===
+
=== CSP cross-origin (no preflight) allowance ===
  
Headers: Last-Event-ID
+
Headers: Also Content-Type with value application/json
  
=== CSP cross-origin (no preflight) allowance(sp?) ===
+
=== WebSocket cross-origin (no preflight) allowance ===
  
Headers: Content-Type, with value application/json
+
Headers: Also Upgrade: websocket, Connection: Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Protocol, Sec-WebSocket-Version
  
 
== Response ==
 
== Response ==

Revision as of 19:22, 23 March 2013

This document tries to document the platform's fetching policy for HTTP.

Request

General limitations

Methods:

  • Uppercased (so e.g. geT becomes GET): CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, TRACE, and TRACK.
  • Never work: CONNECT, TRACE, and TRACK (subset of the above).

Author headers: Everything but setRequestHeader().

Headers: Host, Origin, ...

Body: No limitations

Additional general cross-origin (no preflight) limitations

Methods: Only GET, HEAD, and POST.

Author headers: Only Accept, Accept-Language, Content-Language, and Content-Type. If Content-Type, value excluding parameters must be application/x-www-form-urlencoded, multipart/form-data, or text/plain.

EventSource cross-origin (no preflight) allowance

Headers: Also Last-Event-ID

CSP cross-origin (no preflight) allowance

Headers: Also Content-Type with value application/json

WebSocket cross-origin (no preflight) allowance

Headers: Also Upgrade: websocket, Connection: Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Protocol, Sec-WebSocket-Version

Response

...