W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 27 Jul 2011 09:44:03 -0700
Message-ID: <CA+c2ei_HLxz6unGV2Hj7t3rGb6Q4QkGv0i=O17Q_Gr4dqy5sig@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Cc: public-webapps@w3.org, annevk@opera.com, satish.cattamanchi@gmail.com
On Wed, Jul 27, 2011 at 9:32 AM, Vladimir Dzhuvinov
<vladimir@dzhuvinov.com> wrote:
> Hi guys,
>
> I'm the maintainer of CORS Filter, a small library for retrofitting
> Java web apps with CORS support.
>
> A developer who is using the library reported that the library was
> unexpectedly denying CORS requests from version 13 (still in beta)
> Google Chrome browsers. He contacted Google support and was informed
> that Chrome 13 is including "Origin" in the
> "Access-Control-Request-Headers" field.
>
> Is this browser behaviour proper according to the CORS protocol?
>
> My understanding of the CORS spec is that
> "Access-Control-Request-Headers" is meant only for custom headers
> appended to the XHR request by means of its "setRequestHeader" method.
> Is this so?
>
> My tests have also shown that FF, Safari, IE and also Chrome (up to
> version 12) do not include "Origin" in the
> "Access-Control-Request-Headers" header of outgoing CORS requests.

Your understanding is correct. Similarly headers such as "User-Agent",
"Host" and "Referer" aren't listed in
"Access-Control-Request-Headers". Nor is the
"Access-Control-Request-Headers" header itself.

We recently clarified this in the CORS spec as I recall it.

/ Jonas
Received on Wednesday, 27 July 2011 16:45:14 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT