W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [cors] The case of Http Headers in Access-Control-Request-Headers

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 21 Dec 2011 21:58:01 -0500
Message-ID: <4EF29CB9.80702@mit.edu>
To: public-webapps@w3.org
On 12/21/11 9:43 PM, Benson Margulies wrote:
> I just made a small discovery;
> Chrome 16 sends, e.g.
>    Access-Control-Request-Headers: Content-Type
> Firefox 8.0 sends, contrastively:
>    Access-Control-Request-Headers: content-type
> Given the requirement for case-sensitive comparison in the spec


http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html section 6.2 step 6 

   If any of the header field-names is not a ASCII case-insensitive
   match for any of the values in list of headers do not set any
   additional headers and terminate this set of steps.

so the comparison is ASCII case-insensitive.  That's as far as server 

 > this to me suggests that one of them is wrong. Which?

As far as requirements on the browser go, the relevant part is section 
7.1.5 step 1 second list item 2, which says:

   If author request headers is not empty include an
   Access-Control-Request-Headers header with as header field value
   a comma-separated list of the header field names from author
   request headers in lexicographical order, each converted to
   ASCII lowercase (even when one or more are a simple header).

So what Firefox is doing is correct, and what Chrome is doing is wrong.

Received on Thursday, 22 December 2011 02:58:43 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:37 UTC