W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

[cors] Content-Type

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 22 Jun 2011 14:44:44 +0200
To: "WebApps WG" <public-webapps@w3.org>, "Jonas Sicking" <jonas@sicking.cc>
Message-ID: <op.vxg9ouz864w2qv@anne-van-kesterens-macbook-pro.local>
Currently when making a preflight request user agents are required to  
include "content-type" in the Access-Control-Request-Headers header if the  
author specified a Content-Type header. However, this Content-Type header  
included in the actual request can contain a header value allowed by  
"simple headers", such as "text/plain". Is it a problem that the server  
cannot distinguish which Content-Type header is meant? The primary reason  
for the preflight request is awareness, but it still strikes me as icky.

There is one other problem noted by sicking on the WHATWG list. Namely  
that Content-Type can also be set by the user agent. E.g. based on the  
File object passed to the send() method in XMLHttpRequest. So I think I  
will update the places where CORS compares "author request headers" (I  
renamed "custom request headers" as "author" is clearer and "custom"  
caused confusion) against "simple headers" to also compare the  
Content-Type header (if set by the user agent) against "simple headers".

Does that make sense?


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 22 June 2011 12:45:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:45 GMT