[whatwg/fetch] access-conrol-allow-origin: * can be interpreted in two ways (#548) from Yutaka Hirano on 2017-05-24 (public-webapps-github@w3.org from May 2017)

From: Yutaka Hirano <notifications@github.com>
Date: Wed, 24 May 2017 04:06:21 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/548@github.com>

access-control-allow-origin = #field-name / wildcard

where

field-name = token
token = 1*tchar
tchar contains `*`
.

It means "*"  can be interpreted in two ways.

1. Allow all headers.
1. Allow a header whose name is "*".

> 1. Let headerNames be the result of extracting header list values given `Access-Control-Expose-Headers` and response’s header list.
> 1. If headerNames is `*` and request’s credentials mode is not "include", then set response’s CORS-exposed header-name list to all unique header names in response’s header list.
> 1. Otherwise, if headerNames is not null, failure, or `*`, then set response’s CORS-exposed header-name list to headerNames.

This sounds like

1. if _headerName_ is `*`, the symbol should be interpreted in the first way.
1. if _headerName_ contains `*` but _headerName_ is not `*`, the symbol should be interpreted in the second way.

I feel it confusing.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/548

Received on Wednesday, 24 May 2017 11:07:00 UTC