Re: [cors] Simplify CORS Headers (ISSUE-89) from Arthur Barstow on 2010-05-14 (public-webapps@w3.org from April to June 2010)

From: Arthur Barstow <art.barstow@nokia.com>
Date: Fri, 14 May 2010 13:18:52 -0400
To: Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, Chris Wilson <Chris.Wilson@microsoft.com>, Adrian Bateman <adrianba@microsoft.com>
Cc: WebApps WG <public-webapps@w3.org>
Message-Id: <637159E7-430F-4EC3-B3BD-74952D1D669C@nokia.com>

Simpler and/or shorter would indeed be good, although it may be too  
late.

Jonas, IE Guys (Chris, Adrian, ...) - what is your input on this issue?

-Art Barstow

On May 13, 2010, at 3:39 AM, ext Maciej Stachowiak wrote:

>
> On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote:
>
>> Here is a brief proposal for how we could simplify the current set  
>> of CORS headers. We can use this thread to evaluate whether it is  
>> worth breaking with what Firefox, Safari, Chrome, and IE are doing  
>> now. And whether all parties are willing to change their supported  
>> syntax in due course.
>>
>> Furthermore, I suggest that if we have nothing conclusive on this  
>> topic by June 15 we consider ISSUE-89[1] as resolved. We have to  
>> move on at some point. (Maybe the chairs should issue a CfC for  
>> this to make it official.)
>>
>>
>> I suggest we merge Access-Control-Allow-Origin, Access-Control- 
>> Allow-Credentials, and Access-Control-Max-Age into a new header,  
>> named CORS. The syntax of this new header would be:
>>
>>  "CORS" : "credentials"? origin-value delta-seconds?
>>
>> Access-Control-Allow-Methods and Access-Control-Allow-Headers  
>> become CORS-Methods and CORS-Headers respectively. I do not think  
>> it is worth trying to merge these in as well.
>>
>> We keep the Origin header.
>>
>> And Access-Control-Request-Method and Access-Control-Request- 
>> Headers are merged into a new header, named CORS-Preflight. The  
>> syntax of this new header would be:
>>
>>  "CORS-Preflight" : Method [SP field-name]*
>>
>>
>> [1]<http://www.w3.org/2008/webapps/track/issues/89>
>>
>
>
> I'm not that keen on changing the names, but if we do, I think  
> "CORS" might be a bit mysterious by itself as a header name. Here's  
> another set of naming suggestions, if we do go down the renaming  
> path (which for the record I'd rather not):
>
> CORS ==> Allow-Access or Expose-Response
> CORS-Methods ==> Allow-Methods
> CORS-Headers ==> Allow-Headers (or Allow-Request-Headers)
> CORS-Preflight ==> can't think of a better name for this
> new header to expose more response headers ==> Expose-Headers (or  
> Expose-Response-Headers)
>
> Regards,
> Maciej

Received on Friday, 14 May 2010 17:21:28 UTC