[Bug 16841] New: Expected use of Origin HTTP header from bugzilla@jessica.w3.org on 2012-04-24 (public-html@w3.org from April 2012)

From: <bugzilla@jessica.w3.org>
Date: Tue, 24 Apr 2012 17:52:28 +0000
To: public-html@w3.org
Message-ID: <bug-16841-2495@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=16841

           Summary: Expected use of Origin HTTP header
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: Pat_Ladd2@cable.comcast.com
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


Section 2.7.6 "CORS-enabled fetch" executes the CORS "resource sharing check"
which fails if the server did not include an Access-Control-Allow-Origin header
in the response to the request.  This implies that if the user agent did not
send an Origin header the resource sharing check will fail and cause the
potentially CORS-enabled fetch to taint or fail depending on the mode.  In
order to clarify the expectation, one possible solution is a statement
describing what happens when the Origin header is not sent by the user agent. 
For example, add a sentence at the end of the first paragraph in section 2.7.6
that states, "If the user agent did not include an Origin header in the
request, then the result of the potentially CORS-enabled fetch is success as
defined for URL has the same origin as origin."

-- 
Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Tuesday, 24 April 2012 17:58:36 UTC