[whatwg/fetch] Treatment of empty-valued Access-Control-Request-Headers (#459) from sof on 2017-01-17 (public-webapps-github@w3.org from January 2017)

From: sof <notifications@github.com>
Date: Tue, 17 Jan 2017 06:34:57 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/459@github.com>

Following steps 3-5 of https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 , a CORS-preflight request will always include a "Access-Control-Request-Headers" mapping, even if |headers| is empty. (Which is consistent with https://fetch.spec.whatwg.org/#http-new-header-syntax)

This represents a change from earlier treatments of this header value for preflights ( https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 ), which left it out if the preflighted requests only had CORS-safelisted headers (nee author request headers)... even though it was spec'ed as legal to send an empty value.

This is change in behaviour is causing some downstream services to fail upon encountering such an empty-valued header, see https://crbug.com/633729 . Might it be worth considering limiting ACRH to non-empty values?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/459

Received on Tuesday, 17 January 2017 14:35:32 UTC