W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2011

[Bug 15312] New: lowercasing requirement for Access-Control-Request-Headers harmful

From: <bugzilla@jessica.w3.org>
Date: Thu, 22 Dec 2011 10:26:19 +0000
To: public-webappsec@w3.org
Message-ID: <bug-15312-4874@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=15312

           Summary: lowercasing requirement for
                    Access-Control-Request-Headers harmful
           Product: WebAppsSec
           Version: unspecified
          Platform: All
               URL: http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#
                    cross-origin-request-with-preflight-0
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: CORS
        AssignedTo: annevk@opera.com
        ReportedBy: julian.reschke@gmx.de
         QAContact: dave.null@w3.org
                CC: mike@w3.org, public-webappsec@w3.org


"If author request headers is not empty include an
Access-Control-Request-Headers header with as header field value a
comma-separated list of the header field names from author request headers in
lexicographical order, each converted to ASCII lowercase (even when one or more
are a simple header)."

The requirement to lower-case header field names is harmful; it introduces an
inconsistency with other HTTP header fields (Vary, Connection) that is not
needed, as header field names are supposed to compared case-insensitively
anyway.

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Thursday, 22 December 2011 10:26:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 22 December 2011 10:26:42 GMT