W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Mon, 09 Jan 2012 14:17:50 +0000
Message-ID: <1326118670.1954.1.camel@shakespeare>
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps@w3.org
On Sat, 2011-12-17 at 16:10 +0100, Anne van Kesteren wrote:
> On Fri, 29 Jul 2011 14:25:07 +0200, Vladimir Dzhuvinov  
> <vladimir@dzhuvinov.com> wrote:
> > Regarding "6. Resource processing model": [item 3] "A list of headers
> > consisting of zero or more header field names that are supported by
> > the resource.":
> >
> > Is this list supposed to be
> >
> > 1) of the non-simple headers only - as per
> > http://dev.w3.org/2006/waf/access-control/#simple-header or
> >
> > 2) of all supported headers that the author may choose to set,
> > including those that qualify as simple?
> >
> > Because right now the Java CORS filter expects to receive only
> > non-simple headers in "Access-Control-Request-Headers", and if for
> > some reason the browser has decided to include a simple header, e.g.
> > "Accept", in the preflight request it won't be allowed to proceed.
> 
> My apologies for forgetting to reply to this message. Fortunately it was  
> still somewhere in my inbox! It seems your Java CORS filter has a bug as  
> simple headers can be included there (for consistency).

This and a few other issues with the CORS Filter were sorted out last
year thanks to user feedback and patches.


Happy new year, Anne!


-- 
Vladimir Dzhuvinov :: vladimir@dzhuvinov.com
Received on Monday, 9 January 2012 15:18:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT