Re: [fetch] Update Access-Control-Allow-Headers CORS response header to allow * (allow-all) (#251) from Jonas Sicking on 2016-03-22 (public-webapps-github@w3.org from March 2016)

From: Jonas Sicking <notifications@github.com>
Date: Tue, 22 Mar 2016 11:26:31 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/251/199951266@github.com>

I really like the idea that we allow `Access-Control-Allow-Origin: *`, `Access-Control-Allow-Headers: *` and `Access-Control-Allow-Methods: *`, but only when `Access-Control-Allow-Credentials: true` is not set.

When `Access-Control-Allow-Credentials: true` is set, then `*` is a forbidden value for all of `Access-Control-Allow-Origin`, `Access-Control-Allow-Headers` and `Access-Control-Allow-Methods`. If at that point a `*` is received for either of those headers, the header is ignored.

That's consistent with how `Access-Control-Allow-Origin` currently works, and should be very safe and cover the common use cases.


---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/251#issuecomment-199951266

Received on Tuesday, 22 March 2016 18:27:04 UTC