Re: on requiring origin request header? from Glenn Adams on 2012-06-08 (public-coremob@w3.org from June 2012)

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 7 Jun 2012 21:16:53 -0600
To: "SULLIVAN, BRYAN L" <bs3131@att.com>
Cc: W3C CoreMob CG <public-coremob@w3.org>
Message-ID: <CACQ=j+ftd4gGB4BMD=swMs5EqsEeWrc4uLdP+cdWDhJe6Jq69g@mail.gmail.com>

On Thu, Jun 7, 2012 at 6:19 PM, SULLIVAN, BRYAN L <bs3131@att.com> wrote:

> Comment inline.
>
> Thanks,
> Bryan Sullivan
>
> From: Glenn Adams [mailto:glenn@skynav.com]
> Sent: Thursday, June 07, 2012 5:07 PM
> To: SULLIVAN, BRYAN L
> Cc: W3C CoreMob CG
> Subject: Re: on requiring origin request header?
>
>
> On Thu, Jun 7, 2012 at 5:53 PM, SULLIVAN, BRYAN L <bs3131@att.com> wrote:
> Glenn,
>
> As I read the CORS spec the Origin is required in at least some cases,
> e.g. as in 6.1 "Resources must use the following set of steps to determine
> which additional headers to use in the response:
>
>  1.  If the Origin<
> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#http-origin> header
> is not present terminate this set of steps. The request is outside the
> scope of this specification."
>
> The requirement here is on the receiver but it implies that a sender that
> does not include the Origin header is making an ineffectual request. Thus
> the MUST is at least implied, for UAs that intend to make cross-origin
> requests.
>
> I would not agree that this language implies the Origin header MUST be
> present in the request, as it specifies the behavior on the server
> (receiver of request) if it is not present.
>
> Of course, if a CORS request is missing an Origin header, then the
> language you cite will terminate the algorithm in 6.1 (without specifying
> what the result should or may be I might add, since it is rules "out of
> scope").
>
> The fact is that nothing in HTML5 nor CORS requires a UA to send an Origin
> header even if it (the UA) implements CORS and is performing a CORS request.
>
> <bryan> OK I agree on the reading but the effect again is that a
> CORS-compliant server will not accept a request that is missing the Origin
> header. Any behavior outside the spec is irrelevant here.


I'm not sure I would agree. For example, the CORS spec could specify that a
specific HTTP response code is returned. As specified, it is server
dependent what the behavior is, e.g., close connection without a response,
send one response code or another, etc.


> The question is whether CoreMob will require CORS server compatibility in
> the user agent (meaning when a cross-origin request is attempted, it must
> include an Origin header).

Since CORS will be an important feature IMO, I think CoreMob should verify
> CORS-compatible behavior (note I use the term "compatible" here on purpose).
>
> I've asked both hixie and anne if this is the case, and they both agree it
> is correct. My understanding is that Ian does not want to specify when
> Origin header must be sent since HTML5 does not require use of HTTP. And
> Anne does not choose to go beyond the current language in CORS.
>

Received on Friday, 8 June 2012 03:17:42 UTC