W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 17 Dec 2011 16:10:28 +0100
To: "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
Cc: "Jonas Sicking" <jonas@sicking.cc>, public-webapps@w3.org, satish.cattamanchi@gmail.com
Message-ID: <op.v6m23qix64w2qv@annevk-macbookpro.local>
On Fri, 29 Jul 2011 14:25:07 +0200, Vladimir Dzhuvinov  
<vladimir@dzhuvinov.com> wrote:
> Regarding "6. Resource processing model": [item 3] "A list of headers
> consisting of zero or more header field names that are supported by
> the resource.":
> Is this list supposed to be
> 1) of the non-simple headers only - as per
> http://dev.w3.org/2006/waf/access-control/#simple-header or
> 2) of all supported headers that the author may choose to set,
> including those that qualify as simple?
> Because right now the Java CORS filter expects to receive only
> non-simple headers in "Access-Control-Request-Headers", and if for
> some reason the browser has decided to include a simple header, e.g.
> "Accept", in the preflight request it won't be allowed to proceed.

My apologies for forgetting to reply to this message. Fortunately it was  
still somewhere in my inbox! It seems your Java CORS filter has a bug as  
simple headers can be included there (for consistency).

Anne van Kesteren
Received on Saturday, 17 December 2011 15:11:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:37 UTC