[cors] Simplify CORS Headers (ISSUE-89)

Here is a brief proposal for how we could simplify the current set of CORS  
headers. We can use this thread to evaluate whether it is worth breaking  
with what Firefox, Safari, Chrome, and IE are doing now. And whether all  
parties are willing to change their supported syntax in due course.

Furthermore, I suggest that if we have nothing conclusive on this topic by  
June 15 we consider ISSUE-89[1] as resolved. We have to move on at some  
point. (Maybe the chairs should issue a CfC for this to make it official.)

I suggest we merge Access-Control-Allow-Origin,  
Access-Control-Allow-Credentials, and Access-Control-Max-Age into a new  
header, named CORS. The syntax of this new header would be:

   "CORS" : "credentials"? origin-value delta-seconds?

Access-Control-Allow-Methods and Access-Control-Allow-Headers become  
CORS-Methods and CORS-Headers respectively. I do not think it is worth  
trying to merge these in as well.

We keep the Origin header.

And Access-Control-Request-Method and Access-Control-Request-Headers are  
merged into a new header, named CORS-Preflight. The syntax of this new  
header would be:

   "CORS-Preflight" : Method [SP field-name]*


Anne van Kesteren

Received on Friday, 7 May 2010 00:30:56 UTC