W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [CORS] Access-Control-Request-Method

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 21 Dec 2011 23:37:35 -0500
Message-ID: <4EF2B40F.4080308@mit.edu>
To: public-webapps@w3.org
On 12/21/11 11:28 PM, Jarred Nicholls wrote:
> I'll try this again...
>
> The spec makes it very succinct in its preflight request steps that
> Access-Control-Request-Method should be sent, always.  However in WebKit
> and Firefox I'm observing this header only being sent when there are
> "author request headers" being sent in Access-Control-Request-Headers.
>   Is the spec not clear in these steps, or are we all just doing it
> wrong? :)

I'd like to understand your testcase.

Looking at the Firefox code for this, Access-Control-Request-Method is 
always sent when a preflight is done.

What might be confusing the issue is that preflights are not always 
done, maybe?  A preflight, per 
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request 
is done in the following cases:

1)  The "force preflight" flag is set.
2)  The request method is not a simple method.
3)  There is an author request header that's not a simple header.

(though it looks to me like item 1 is broken by the actual algorithm for 
doing a "cross-origin request with preflight"; Anne?)

In any case, if you're using XHR then #1 is likely not relevant, and if 
you use a GET method then you have a simple method.  So the only thing 
that would trigger preflights are author request headers that are not 
simple headers.

-Boris
Received on Thursday, 22 December 2011 04:38:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT