- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 13 May 2010 00:39:51 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote: > Here is a brief proposal for how we could simplify the current set of CORS headers. We can use this thread to evaluate whether it is worth breaking with what Firefox, Safari, Chrome, and IE are doing now. And whether all parties are willing to change their supported syntax in due course. > > Furthermore, I suggest that if we have nothing conclusive on this topic by June 15 we consider ISSUE-89[1] as resolved. We have to move on at some point. (Maybe the chairs should issue a CfC for this to make it official.) > > > I suggest we merge Access-Control-Allow-Origin, Access-Control-Allow-Credentials, and Access-Control-Max-Age into a new header, named CORS. The syntax of this new header would be: > > "CORS" : "credentials"? origin-value delta-seconds? > > Access-Control-Allow-Methods and Access-Control-Allow-Headers become CORS-Methods and CORS-Headers respectively. I do not think it is worth trying to merge these in as well. > > We keep the Origin header. > > And Access-Control-Request-Method and Access-Control-Request-Headers are merged into a new header, named CORS-Preflight. The syntax of this new header would be: > > "CORS-Preflight" : Method [SP field-name]* > > > [1]<http://www.w3.org/2008/webapps/track/issues/89> > I'm not that keen on changing the names, but if we do, I think "CORS" might be a bit mysterious by itself as a header name. Here's another set of naming suggestions, if we do go down the renaming path (which for the record I'd rather not): CORS ==> Allow-Access or Expose-Response CORS-Methods ==> Allow-Methods CORS-Headers ==> Allow-Headers (or Allow-Request-Headers) CORS-Preflight ==> can't think of a better name for this new header to expose more response headers ==> Expose-Headers (or Expose-Response-Headers) Regards, Maciej
Received on Thursday, 13 May 2010 07:40:25 UTC