W3C home > Mailing lists > Public > public-coremob@w3.org > June 2012

Re: on requiring origin request header?

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 7 Jun 2012 18:07:02 -0600
Message-ID: <CACQ=j+d2Zs9Q2QgVnucdvZHpsMbb-D_X7V+5p8MYG0sA+JaZzA@mail.gmail.com>
To: "SULLIVAN, BRYAN L" <bs3131@att.com>
Cc: W3C CoreMob CG <public-coremob@w3.org>
On Thu, Jun 7, 2012 at 5:53 PM, SULLIVAN, BRYAN L <bs3131@att.com> wrote:

> Glenn,
>
> As I read the CORS spec the Origin is required in at least some cases,
> e.g. as in 6.1 "Resources must use the following set of steps to determine
> which additional headers to use in the response:
>
>  1.  If the Origin<
> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#http-origin> header
> is not present terminate this set of steps. The request is outside the
> scope of this specification."
>
> The requirement here is on the receiver but it implies that a sender that
> does not include the Origin header is making an ineffectual request. Thus
> the MUST is at least implied, for UAs that intend to make cross-origin
> requests.
>

I would not agree that this language implies the Origin header MUST be
present in the request, as it specifies the behavior on the server
(receiver of request) if it is not present.

Of course, if a CORS request is missing an Origin header, then the language
you cite will terminate the algorithm in 6.1 (without specifying what the
result should or may be I might add, since it is rules "out of scope").

The fact is that nothing in HTML5 nor CORS requires a UA to send an Origin
header even if it (the UA) implements CORS and is performing a CORS request.

I've asked both hixie and anne if this is the case, and they both agree it
is correct. My understanding is that Ian does not want to specify when
Origin header must be sent since HTML5 does not require use of HTTP. And
Anne does not choose to go beyond the current language in CORS.
Received on Friday, 8 June 2012 00:08:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 19 April 2013 17:36:46 UTC