- From: Drafu <notifications@github.com>
- Date: Tue, 20 Oct 2020 11:40:21 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1102@github.com>
The specification states that a client must send `Access-Control-Request-Method` and `Access-Control-Request-Headers` headers to the server to "indicate which method/headers a future CORS request to the same resource might use". But there is nowhere to be found explicitly, why a server needs them and how it should react if these client-sent headers are not included in the response. What I've found: - A client must send `Access-Control-Request-Method` and `Access-Control-Request-Headers`. - A server must respond with available `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` - A server must respond with 2xx status if it allows CORS requests. - A server must respond with 403 status if it doesn't allow any CORS requests. But nothing states about what server should respond with if it allows CORS requests, but requested method or headers are not available. Example request/response: REQUEST: Access-Control-Request-Method: BADMETHOD Access-Control-Request-Headers: Bad-Header RESPONSE: 200 OK (204 NO CONTENT) Access-Control-Allow-Methods: OPTIONS,HEAD,GET,PUT,POST,DELETE Access-Control-Allow-Headers: Origin,X-Requested-With,Content-Type,Accept This seems illogical because these headers are no use for the server: the server has a static response no matter what requested headers were. Thank you in advance. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1102
Received on Tuesday, 20 October 2020 18:40:33 UTC