[cors] Response header whitelist requires changing the API


Our server has a REST-ful API, where creating a user is done by
POST-ing to /users. The response contains a Location header pointing
to the newly-created resource, such as "Location: /users/15".

Since reading the Location header is not possible for cross-origin
requests, we must change the API to return this information somewhere
in the body.

I'm not sure if this is against the Requirement #15:

> Cross-origin requests should not require API changes other than allowing cross-origin requests. This means that the following examples should work for resources residing on http://test.example (modulo changes to the respective specifications to allow cross-origin requests): [...]

Anyway, a way of specifying which headers the client is allowed to
read, or some other solution, would be nice.


Received on Wednesday, 10 March 2010 09:19:58 UTC