- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 31 Oct 2017 10:13:26 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 31 October 2017 10:13:49 UTC
annevk commented on this pull request. I'd also prefer it if Content-Type was always followed by the word "header". LGTM with those nits. > @@ -2226,6 +2229,19 @@ Access-Control-Allow-Credentials: true</pre> ignored. </div> +<h4 id=cors-protocol-exceptions>CORS protocol exceptions</h4> + +<p>Specifications have allowed limited exceptions to the CORS safelist for non-safelisted +`<code>Content-Type</code>` values. These exceptions are made for requests that can be triggered by +web content but whose headers and bodies can be only minimally controlled by the web content. +Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted +requests with the following non-safelisted `<code>Content-Type</code>` values: +`<code>application/csp-report</code>`, `<code>application/report</code>`, +`<code>application/expect-ct-report+json</code>`, `<code>application/ocsp-request</code>`. Please add "and" here. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/621#pullrequestreview-73108674
Received on Tuesday, 31 October 2017 10:13:49 UTC