RE: on requiring origin request header? from SULLIVAN, BRYAN L on 2012-06-08 (public-coremob@w3.org from June 2012)

From: SULLIVAN, BRYAN L <bs3131@att.com>
Date: Fri, 8 Jun 2012 00:19:54 +0000
To: Glenn Adams <glenn@skynav.com>
CC: W3C CoreMob CG <public-coremob@w3.org>
Message-ID: <59A39E87EA9F964A836299497B686C350FEF46C3@WABOTH9MSGUSR8D.ITServices.sbc.com>

Comment inline.

Thanks,
Bryan Sullivan 

From: Glenn Adams [mailto:glenn@skynav.com] 
Sent: Thursday, June 07, 2012 5:07 PM
To: SULLIVAN, BRYAN L
Cc: W3C CoreMob CG
Subject: Re: on requiring origin request header?

On Thu, Jun 7, 2012 at 5:53 PM, SULLIVAN, BRYAN L <bs3131@att.com> wrote:
Glenn,

As I read the CORS spec the Origin is required in at least some cases, e.g. as in 6.1 "Resources must use the following set of steps to determine which additional headers to use in the response:

 1.  If the Origin<http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#http-origin> header is not present terminate this set of steps. The request is outside the scope of this specification."

The requirement here is on the receiver but it implies that a sender that does not include the Origin header is making an ineffectual request. Thus the MUST is at least implied, for UAs that intend to make cross-origin requests.

I would not agree that this language implies the Origin header MUST be present in the request, as it specifies the behavior on the server (receiver of request) if it is not present.

Of course, if a CORS request is missing an Origin header, then the language you cite will terminate the algorithm in 6.1 (without specifying what the result should or may be I might add, since it is rules "out of scope").

The fact is that nothing in HTML5 nor CORS requires a UA to send an Origin header even if it (the UA) implements CORS and is performing a CORS request.

<bryan> OK I agree on the reading but the effect again is that a CORS-compliant server will not accept a request that is missing the Origin header. Any behavior outside the spec is irrelevant here. The question is whether CoreMob will require CORS server compatibility in the user agent (meaning when a cross-origin request is attempted, it must include an Origin header). Since CORS will be an important feature IMO, I think CoreMob should verify CORS-compatible behavior (note I use the term "compatible" here on purpose). 

I've asked both hixie and anne if this is the case, and they both agree it is correct. My understanding is that Ian does not want to specify when Origin header must be sent since HTML5 does not require use of HTTP. And Anne does not choose to go beyond the current language in CORS.

Received on Friday, 8 June 2012 00:20:46 UTC