- From: roryhewitt <notifications@github.com>
- Date: Tue, 22 Mar 2016 09:54:34 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/251/199903830@github.com>
@mozfreddyb: > we should disallow credentials in the wildcard case Are you saying that **if** Access-Control-Allow-Headers: * is specified for the request, then the server **cannot** include Access-Control-Allow-Credentials: true in the response? Or that if Access-Control-Allow-Credentials: true **is** specified in the response, then the browser must throw an error? I assumed that forbidden headers would be disallowed anyway :) Sorry if that wasn't clear. To clarify, I would update https://fetch.spec.whatwg.org/#cors-preflight-fetch to have something like the following: 5.7.7.2: Let _headerNames_ be the result of parsing `Access-Control-Allow-Headers` in response's header list. If `Access-Control-Allow-Headers` was passed with a value of `*`, set the value of _headerNames_ to `*`. 5.7.7.6: If _headerNames_ is not set to `*` and if one of request's _header list' names_ is not in _headerNames_ and its corresponding header is not a simple header or if , return a network error. Does that make sense? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-199903830
Received on Tuesday, 22 March 2016 16:55:09 UTC