W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [cors] Should browsers send non-user-controllable headers in Access-Control-Request-Headers?

From: Jarred Nicholls <jarred@webkit.org>
Date: Wed, 21 Dec 2011 22:38:24 -0500
Message-ID: <CANufG2ODdbAn_z2ktZ0EJktfKKdvd-ViVKLGEGpLEpRD5toX6A@mail.gmail.com>
To: Benson Margulies <bimargulies@gmail.com>
Cc: public-webapps@w3.org
On Wed, Dec 21, 2011 at 9:16 PM, Benson Margulies <bimargulies@gmail.com>wrote:

> Chrome sends:
>
> Access-Control-Request-Headers:Origin, Content-Type, Accept
>
> Is that just wrong?
>
>
The spec clearly says:  "author request headers: A list of headers set by
authors for the request. Empty, unless explicitly set."  So WebKit

For me, Chrome 16 sends Origin + <all_my_specified_headers>, so Chrome is
behaving incorrectly.  Safari 5.1.2 behaves correctly (though the header
list is not lowercased), and Firefox behaves correctly.
Received on Thursday, 22 December 2011 03:39:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT