- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 07 May 2010 09:30:10 +0900
- To: "WebApps WG" <public-webapps@w3.org>
Here is a brief proposal for how we could simplify the current set of CORS headers. We can use this thread to evaluate whether it is worth breaking with what Firefox, Safari, Chrome, and IE are doing now. And whether all parties are willing to change their supported syntax in due course. Furthermore, I suggest that if we have nothing conclusive on this topic by June 15 we consider ISSUE-89[1] as resolved. We have to move on at some point. (Maybe the chairs should issue a CfC for this to make it official.) I suggest we merge Access-Control-Allow-Origin, Access-Control-Allow-Credentials, and Access-Control-Max-Age into a new header, named CORS. The syntax of this new header would be: "CORS" : "credentials"? origin-value delta-seconds? Access-Control-Allow-Methods and Access-Control-Allow-Headers become CORS-Methods and CORS-Headers respectively. I do not think it is worth trying to merge these in as well. We keep the Origin header. And Access-Control-Request-Method and Access-Control-Request-Headers are merged into a new header, named CORS-Preflight. The syntax of this new header would be: "CORS-Preflight" : Method [SP field-name]* [1]<http://www.w3.org/2008/webapps/track/issues/89> -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 7 May 2010 00:30:56 UTC