W3C home > Mailing lists > Public > public-coremob@w3.org > June 2012

Re: on requiring origin request header?

From: SULLIVAN, BRYAN L <bs3131@att.com>
Date: Thu, 7 Jun 2012 23:53:12 +0000
To: Glenn Adams <glenn@skynav.com>
CC: W3C CoreMob CG <public-coremob@w3.org>
Message-ID: <024023E9-681F-4355-8AD6-5EACF5A393F5@att.com>

As I read the CORS spec the Origin is required in at least some cases, e.g. as in 6.1 "Resources must use the following set of steps to determine which additional headers to use in the response:

  1.  If the Origin<http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#http-origin> header is not present terminate this set of steps. The request is outside the scope of this specification."

The requirement here is on the receiver but it implies that a sender that does not include the Origin header is making an ineffectual request. Thus the MUST is at least implied, for UAs that intend to make cross-origin requests.

Or did I misunderstand your comment?

Bryan Sullivan

On Jun 6, 2012, at 5:02 PM, "Glenn Adams" <glenn@skynav.com<mailto:glenn@skynav.com>> wrote:

I noticed that Core Mobile Profile - Level 0 does mandate support for CORS (Section 5); however, it is my understanding that neither HTML5 nor CORS requires a UA to include an Origin header in a fetch request (whether a CORS or non-CORS fetch). I wonder if any further mandatory language is required to determine when an Origin header must or should be included in fetch request.
Received on Thursday, 7 June 2012 23:54:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:05:47 UTC