W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [cors] The case of Http Headers in Access-Control-Request-Headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 22 Dec 2011 10:34:56 +0100
Message-ID: <4EF2F9C0.8090005@gmx.de>
To: Boris Zbarsky <bzbarsky@MIT.EDU>
CC: public-webapps@w3.org
On 2011-12-22 03:58, Boris Zbarsky wrote:
> On 12/21/11 9:43 PM, Benson Margulies wrote:
>> I just made a small discovery;
>>
>> Chrome 16 sends, e.g.
>>
>> Access-Control-Request-Headers: Content-Type
>>
>> Firefox 8.0 sends, contrastively:
>>
>> Access-Control-Request-Headers: content-type
>>
>> Given the requirement for case-sensitive comparison in the spec
>
> Where?
>
> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html section 6.2 step 6
> says:
>
> If any of the header field-names is not a ASCII case-insensitive
> match for any of the values in list of headers do not set any
> additional headers and terminate this set of steps.
>
> so the comparison is ASCII case-insensitive. That's as far as server
> requirements.
>
>  > this to me suggests that one of them is wrong. Which?
>
> As far as requirements on the browser go, the relevant part is section
> 7.1.5 step 1 second list item 2, which says:
>
> If author request headers is not empty include an
> Access-Control-Request-Headers header with as header field value
> a comma-separated list of the header field names from author
> request headers in lexicographical order, each converted to
> ASCII lowercase (even when one or more are a simple header).
>
> So what Firefox is doing is correct, and what Chrome is doing is wrong.

Indeed. However the requirement in the spec sounds really pointless.

Best regards, Julian
Received on Thursday, 22 December 2011 09:35:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT