W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

CORS Header Filtering?

From: Nathan <nathan@webr3.org>
Date: Wed, 12 May 2010 19:50:09 +0100
Message-ID: <4BEAF861.5000906@webr3.org>
To: public-webapps <public-webapps@w3.org>

Serious concern this time, I've just noted that as per 6.1 Cross-Origin 
Request of the CORS spec, User Agents must strip all response headers 
other than:

* Cache-Control
* Content-Language
* Content-Type
* Expires
* Last-Modified
* Pragma

This simply can't be, many other headers are needed

Link header is going to be heavily used (notably for Web Access Control!)

Allow is needed when there's a 405 response (use GET instead of POST)

Content-Location is needed to be able to show the user the real URI and 
provide it for subsequent requests and bookmarks

Location is needed when a new resource has been created via POST (where 
a redirect wouldn't happen).

Retry-After & Warning are needed for rather obvious reasons.

There are non rfc2616 headers on which functionality is often dependent 
(DAV headers for instance) - SPARQL Update also exposes via the 
MS-Author-via header.

In short there are a whole host of reasons why many different headers 
are needed (including many not listed here).

Received on Wednesday, 12 May 2010 18:58:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:07 UTC