- From: Glenn Adams <glenn@skynav.com>
- Date: Thu, 7 Jun 2012 18:07:02 -0600
- To: "SULLIVAN, BRYAN L" <bs3131@att.com>
- Cc: W3C CoreMob CG <public-coremob@w3.org>
- Message-ID: <CACQ=j+d2Zs9Q2QgVnucdvZHpsMbb-D_X7V+5p8MYG0sA+JaZzA@mail.gmail.com>
On Thu, Jun 7, 2012 at 5:53 PM, SULLIVAN, BRYAN L <bs3131@att.com> wrote: > Glenn, > > As I read the CORS spec the Origin is required in at least some cases, > e.g. as in 6.1 "Resources must use the following set of steps to determine > which additional headers to use in the response: > > 1. If the Origin< > http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#http-origin> header > is not present terminate this set of steps. The request is outside the > scope of this specification." > > The requirement here is on the receiver but it implies that a sender that > does not include the Origin header is making an ineffectual request. Thus > the MUST is at least implied, for UAs that intend to make cross-origin > requests. > I would not agree that this language implies the Origin header MUST be present in the request, as it specifies the behavior on the server (receiver of request) if it is not present. Of course, if a CORS request is missing an Origin header, then the language you cite will terminate the algorithm in 6.1 (without specifying what the result should or may be I might add, since it is rules "out of scope"). The fact is that nothing in HTML5 nor CORS requires a UA to send an Origin header even if it (the UA) implements CORS and is performing a CORS request. I've asked both hixie and anne if this is the case, and they both agree it is correct. My understanding is that Ian does not want to specify when Origin header must be sent since HTML5 does not require use of HTTP. And Anne does not choose to go beyond the current language in CORS.
Received on Friday, 8 June 2012 00:08:02 UTC