- From: roryhewitt <notifications@github.com>
- Date: Tue, 22 Mar 2016 12:02:02 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/251/199964494@github.com>
@sicking, I'm fine with adding * support for all three of these headers (if no credentials are in play). One thought: A webserver admin might look at this and say "I don't want to specify Access-Control-Allow-Methods: *, since that is effectively saying that I will allow a DELETE request". Of course, we're only talking about the preflight OPTIONS response here, and there's no requirement that the server ACTUALLY responds to a DELETE request, but it might raise some red flags. From a conceptual POV, AC-Allow-Headers and AC-Allow-Methods are different. On Tue, Mar 22, 2016 at 11:26 AM, Jonas Sicking <notifications@github.com> wrote: > I really like the idea that we allow Access-Control-Allow-Origin: *, Access-Control-Allow-Headers: > * and Access-Control-Allow-Methods: *, but only when Access-Control-Allow-Credentials: > true is not set. > > When Access-Control-Allow-Credentials: true is set, then * is a forbidden > value for all of Access-Control-Allow-Origin, Access-Control-Allow-Headers > and Access-Control-Allow-Methods. If at that point a * is received for > either of those headers, the header is ignored. > > That's consistent with how Access-Control-Allow-Origin currently works, > and should be very safe and cover the common use cases. > > — > You are receiving this because you were mentioned. > Reply to this email directly or view it on GitHub > <https://github.com/whatwg/fetch/issues/251#issuecomment-199951266> > -- Rory Hewitt http://www.linkedin.com/in/roryhewitt --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-199964494
Received on Tuesday, 22 March 2016 19:02:29 UTC