chore(http): Refresh headers ~[s->x] #36862
Conversation
github-actions
bot
added
Content:HTTP
files/en-us/web/http/headers/service-worker-navigation-preload/index.md
Outdated
Show resolved
Hide resolved
|
This pull request has merge conflicts that must be resolved before it can be merged. |
github-actions
bot
added
size/xl
| The **`SourceMap`** [HTTP](/en-US/docs/Web/HTTP) response header links generated code to a [source map](https://firefox-source-docs.mozilla.org/devtools-user/debugger/how_to/use_a_source_map/index.html), enabling the browser to reconstruct the original source and present the reconstructed original in the debugger. | ||
| The HTTP **`SourceMap`** {{Glossary("response header")}} links generated code to a {{Glossary("source map")}}, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger. | ||
|
|
||
| The HTTP `SourceMap` header has precedence over a source annotation (`sourceMappingURL=path-to-map.js.map`), and if both are present, the header URL is used to resolve the source map file. |
There was a problem hiding this comment.
Link to sourceMappingURL?
| ``` | ||
|
|
||
| Developer tools use the mappings between optimized code and the original source to improve readability, which can make debugging easier. |
There was a problem hiding this comment.
| Developer tools use the mappings between optimized code and the original source to improve readability, which can make debugging easier. | |
| Developer tools use the source map to reconstruct the original source from the optimized JavaScript returned in the response, allowing developers to debug the original code rather than the format that has been optimized for sending. |
| the user agent is willing to accept. (you could informally call it | ||
| `Accept-Transfer-Encoding`, which would be more intuitive). | ||
| The HTTP **`TE`** {{Glossary("request header")}} specifies the transfer encodings the user agent is willing to accept. | ||
| Some people informally consider "`Accept-Transfer-Encoding`" to be a more intuitive name for this header. |
There was a problem hiding this comment.
I'm sure they do, as do I. But it's odd to talk about a more intuitive name that doesn't exist.
| Some people informally consider "`Accept-Transfer-Encoding`" to be a more intuitive name for this header. |
| > [HTTP/2](https://httpwg.org/specs/rfc9113.html#ConnectionSpecific) and | ||
| > [HTTP/3](https://httpwg.org/specs/rfc9114.html#header-formatting), the `TE` | ||
| > header field is only accepted if the `trailers` value is set. | ||
| Note that `chunked` is always acceptable for HTTP/1.1 recipients and you don't have to specify `chunked` using the `TE` header. |
There was a problem hiding this comment.
What is chunked? It isn't mentioned elsewhere in this doc. I would assume a kind of encoding but it is not listed
| @@ -82,9 +82,14 @@ Tk: N | |||
|
|
|||
| ## Specifications | |||
|
|
|||
| Part of the discontinued [Tracking Preference Expression (DNT)](https://www.w3.org/TR/tracking-dnt/#response-header-field) specification. | |||
| The discontinued [Tracking Preference Expression (DNT)](https://www.w3.org/TR/tracking-dnt/#response-header-field) specification. | |||
There was a problem hiding this comment.
Why not do this using spec-url?
| dynamically generated while the message body is sent, such as a message integrity check, | ||
| digital signature, or post-processing status. | ||
| The HTTP **Trailer** {{glossary("request header", "request")}} and {{glossary("response header")}} allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent. | ||
| The content of a trailer field may be a message integrity check, digital signature, or post-processing status. |
There was a problem hiding this comment.
Or Server-Timing, and maybe other things - is this canonical or "for example"?
|
|
||
| In this example, the {{HTTPHeader("Expires")}} header is used at the end of the chunked | ||
| message and serves as a trailing header. | ||
| In this example response, the {{HTTPHeader("Expires")}} header is used at the end of the chunked message and serves as a trailing header: |
There was a problem hiding this comment.
Confusing.
| In this example response, the {{HTTPHeader("Expires")}} header is used at the end of the chunked message and serves as a trailing header: | |
| In this example response, the {{HTTPHeader("Expires")}} header is used as a trailing header: |
|
|
||
| `Transfer-Encoding` is a [hop-by-hop header](/en-US/docs/Web/HTTP/Headers#hop-by-hop_headers), that is applied to a message between two nodes, not to a resource itself. | ||
| Each segment of a multi-node connection can use different `Transfer-Encoding` values. | ||
| If you want to compress data over the whole connection, use the end-to-end {{HTTPHeader("Content-Encoding")}} header instead. | ||
|
|
||
| When present on a response to a {{HTTPMethod("HEAD")}} request that has no body, it indicates the value that would have applied to the corresponding {{HTTPMethod("GET")}} message. | ||
|
|
||
| > [!WARNING] | ||
| > HTTP/2 disallows all uses of the `Transfer-Encoding` header other than the HTTP/2 specific value `"trailers"`. | ||
| > HTTP/2 and later provides other, more efficient, mechanisms for data streaming than chunked transfer. |
There was a problem hiding this comment.
Provide?
| > HTTP/2 and later provides other, more efficient, mechanisms for data streaming than chunked transfer. | |
| > HTTP/2 and later provide other, more efficient, mechanisms for data streaming than chunked transfer. |
| - `<protocol_version>` {{optional_inline}} | ||
| - : An optional protocol version may be provided prefixed with a `/` forward slash. |
There was a problem hiding this comment.
Should this be indented?
|
|
||
| The `Upgrade` header field may be used by clients to invite a server to switch to one (or more) of the listed protocols, in descending preference order. | ||
| ```http | ||
| Upgrade: <protocol>[/<protocol_version>] |
There was a problem hiding this comment.
I can't remember if we normally show multiples here, rather than stating below that they are comma separated. But I think we do
| > [!NOTE] | ||
| > In contrast to earlier drafts of the specifications, the weighting is _not_ declared via [q-values](/en-US/docs/Glossary/Quality_values). | ||
| ```http | ||
| Want-Content-Digest: <digest-algorithm>=<preference> |
There was a problem hiding this comment.
This implies you can set only one value, even though example below shows multiples, and you would not necessarily need preference if you could only set one.
|
|
||
| ## Directives | ||
|
|
||
| For permissible digest algorithms see {{HTTPHeader("Repr-Digest")}}. | ||
| - `<digest-algorithm>` | ||
| - : The algorithm used to create a digest of the message content. |
There was a problem hiding this comment.
Should this be something like "the algorithm to be used to ..."
| > [!NOTE] | ||
| > In contrast to earlier drafts of the specifications, the weighting is _not_ declared via [q-values](/en-US/docs/Glossary/Quality_values). | ||
| ```http | ||
| Want-Repr-Digest: <digest-algorithm>=<preference> |
There was a problem hiding this comment.
Ditto to above - do we need to indicate multiple values are allowed here?
|
|
||
| ## Directives | ||
|
|
||
| For permissible digest algorithms see {{HTTPHeader("Repr-Digest")}}. | ||
| - `<digest-algorithm>` | ||
| - : The algorithm used to create a digest of the representation. |
There was a problem hiding this comment.
As above - the "requested algorithm" or something to state that this is wanted. Perhaps this is fine.
| ... | ||
| WWW-Authenticate: challengeN | ||
| ```plain | ||
| WWW-Authenticate = #challenge |
There was a problem hiding this comment.
Why #
Oh, I see - I think you're perhaps pulling this out of the spec to mean "some kind of challenge". Lets not do that.
| WWW-Authenticate: <auth-scheme> realm=<realm> auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token | ||
| WWW-Authenticate: <auth-scheme> token68 auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token | ||
| ```plain | ||
| challenge = <auth-scheme> [ 1*SP ( <token68> / #<auth-param> ) ] |
There was a problem hiding this comment.
I don't understand this syntax. We don't use it anywhere else, and it is nowhere near as clear as what it replaces.
For example, what is 1*SP? What is #<auth-param>.
Web APIs and CSS spell out the options. I'm not sure that is possible here, but certainly this is not helpful without some more work.
| According to the specification, it can hold a base64, base64url, base32, or base16 (hex) encoding, with or without padding, but excluding whitespace. | ||
| - : A token that may be useful for some schemes. | ||
| The token allows the 66 unreserved URI characters plus a few others. | ||
| According to the specification, it can hold a {{glossary("base64")}}, base64url, base32, or base16 (hex) encoding, with or without padding, but excluding whitespace. |
There was a problem hiding this comment.
Do we need "According to the specification, " (see similar previous comment)
| WWW-Authenticate: challenge1, …, challengeN | ||
| ``` | ||
|
|
||
| Multiple challenges can be sent in separate `WWW-Authenticate` headers in the same response: |
There was a problem hiding this comment.
I wonder if this should also be said up in the syntax section.
| @@ -53,6 +42,15 @@ X-Content-Type-Options: nosniff | |||
| `style` and the MIME type is not `text/css`, | |||
| or of type `script` and the MIME type is not a [JavaScript MIME type](https://html.spec.whatwg.org/multipage/scripting.html#javascript-mime-type). | |||
|
|
|||
| ## Description | |||
|
|
|||
| This header was introduced by Microsoft in IE 8 as a way for webmasters to block content sniffing that was happening and could transform non-executable MIME types into executable MIME types. | |||
There was a problem hiding this comment.
Feels like there should be a BCD entry for this and the information here should go into it.
| has the meaning described in the [Directives](#directives) section. But if there's a risk the client or any proxy | ||
| is malicious or misconfigured, then it's possible any part (or the entirety) of the header may have been | ||
| spoofed (and may not be a list or contain IP addresses at all). | ||
| For example: |
There was a problem hiding this comment.
Do we need this. Or to put it another way, in other cases you don't have a lead in like this. Further, in some you have the comments outside the code block and others inside.
FWIW I would just remove this line.
| - : The client IP address. | ||
| - `<proxy>` | ||
| - : A proxy IP address. | ||
| If a request goes through multiple proxies, the IP addresses of each successive proxy is listed. |
There was a problem hiding this comment.
| If a request goes through multiple proxies, the IP addresses of each successive proxy is listed. | |
| If a request goes through multiple proxies, the IP addresses of each successive proxy are listed. |
| X-Forwarded-For: 203.0.113.195,2001:db8:85a3:8d3:1319:8a2e:370:7348,198.51.100.178 | ||
| ``` | ||
| This header exposes privacy-sensitive information by design, such as the IP address of the client. | ||
| Therefore, the user's privacy must be kept in mind when deploying this header. |
There was a problem hiding this comment.
I've seen "deploying this header" a few times. Do you really deploy a header? I don't know why, but it is a bit grating. Maybe "use"
| This header exposes privacy-sensitive information by design, such as the IP address of the client. | ||
| Therefore, the user's privacy must be kept in mind when deploying this header. | ||
|
|
||
| The `X-Forwarded-For` header is untrustworthy when no **trusted reverse proxy** (e.g., a load balancer) is between the client and server. |
There was a problem hiding this comment.
This sounds wrong. My assumption is that you could have a trusted reverse proxy between client and server and the header is still untrustworthy, because you have several other untrusted proxies (or whatever) between them.
This can only be true if the only thing that can be setting this header is a single reverse proxy, and that must also be trusted
|
|
||
| ```http | ||
| X-Forwarded-For: 203.0.113.195,2001:db8:85a3:8d3:1319:8a2e:370:7348,198.51.100.178 | ||
| ``` |
There was a problem hiding this comment.
I think this is all OK in this topic, but getting tired and finding it hard to parse.
| <td>{{Glossary("Response header")}}</td> | ||
| </tr> | ||
| <tr> | ||
| <th scope="row">{{Glossary("Forbidden header name")}}</th> |
There was a problem hiding this comment.
I think this probably should be https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_response_header_name - since it is a response header.
|
|
||
| > [!WARNING] | ||
| > Even though this feature can protect users of older web browsers that don't yet support {{Glossary("CSP")}}, in some cases, **XSS protection can create XSS vulnerabilities** in otherwise safe websites. See the section below for more information. | ||
| > Even though this feature can protect users of older web browsers that don't yet support {{Glossary("CSP")}}, in some cases, **XSS protection can create XSS vulnerabilities** in otherwise safe websites. See the [Security considerations](#security_considerations) section below for more information. |
There was a problem hiding this comment.
| > Even though this feature can protect users of older web browsers that don't yet support {{Glossary("CSP")}}, in some cases, **XSS protection can create XSS vulnerabilities** in otherwise safe websites. See the [Security considerations](#security_considerations) section below for more information. | |
| > Even though this feature can protect users of older web browsers that don't yet support {{Glossary("CSP")}}, in some cases, **`X-XSS-Protection` can create XSS vulnerabilities** in otherwise safe websites. See the [Security considerations](#security_considerations) section below for more information. |
| - Chrome has [removed their XSS Auditor](https://chromestatus.com/feature/5021976655560704) | ||
| - Firefox has not, and [will not implement `X-XSS-Protection`](https://bugzil.la/528661) | ||
| - Edge has [retired their XSS filter](https://blogs.windows.com/windows-insider/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/) |
There was a problem hiding this comment.
If this is not in BCD it should be pushed there. The sentence below would then be reworded appropriately.
|
This has cooked my brain :-0. Probably got a bit more sloppy towards the end. |
Yes, I can imagine - thank you very much 🙏🏻 |
Description
This PR refreshes a few HTTP headers pages.
common changes:
The HTTP **`Header-Name`** (request|response) headerin first sentence{{HTTPStatus("406", "406 Not Acceptable")}}Motivation
Keeping content up-to-date, fixing formatting, unifying writing conventions