W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: [CORS] Access-Control-Request-Method

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 14 Feb 2012 18:38:08 +0100
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: public-webapps@w3.org, "Adam Barth" <abarth@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>, Odin Hørthe Omdal <odinho@opera.com>
Message-ID: <op.v9oi9uet64w2qv@annevk-macbookpro.local>
On Thu, 22 Dec 2011 17:05:08 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> No, what I mean is this.  Say we enter  
> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request  
> with the following state:
> * "force preflight" flag is true
> * Request method is simple method
> * No author request headers
> * Empty preflight cache (not that this matters)
> The spec says we should "follow the cross-origin request with preflight  
> algorithm."
> Following that link, it says:
>    Go to the next step if the following conditions are true:
>      For request method there either is a method cache match or it is a
>      simple method.
>      For every header of author request headers there either is a header
>      cache match for the field name or it is a simple header.
> Since the method is a simple method and there are no author request  
> headers, we skip the preflight and go on to the main request.
> Now it's possible that I simply don't understand what this flag is  
> _supposed_ to do or that I'm missing something....

So the idea behind the force preflight flag is that there's a preflight  
request if upload event listeners are registered, because otherwise you  
can determine the existence of a server. Now the obvious way to fix CORS  
would be to add an additional condition in the text you quoted above,  
namely that the force preflight flag is unset; however, that would mean  
that caching is bypassed too.

How is this implemented in practice?

Jonas, Adam, Odin, any ideas?

Anne van Kesteren
Received on Tuesday, 14 February 2012 17:38:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:38 UTC