- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 21 Dec 2011 23:37:35 -0500
- To: public-webapps@w3.org
On 12/21/11 11:28 PM, Jarred Nicholls wrote: > I'll try this again... > > The spec makes it very succinct in its preflight request steps that > Access-Control-Request-Method should be sent, always. However in WebKit > and Firefox I'm observing this header only being sent when there are > "author request headers" being sent in Access-Control-Request-Headers. > Is the spec not clear in these steps, or are we all just doing it > wrong? :) I'd like to understand your testcase. Looking at the Firefox code for this, Access-Control-Request-Method is always sent when a preflight is done. What might be confusing the issue is that preflights are not always done, maybe? A preflight, per http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request is done in the following cases: 1) The "force preflight" flag is set. 2) The request method is not a simple method. 3) There is an author request header that's not a simple header. (though it looks to me like item 1 is broken by the actual algorithm for doing a "cross-origin request with preflight"; Anne?) In any case, if you're using XHR then #1 is likely not relevant, and if you use a GET method then you have a simple method. So the only thing that would trigger preflights are author request headers that are not simple headers. -Boris
Received on Thursday, 22 December 2011 04:38:07 UTC