- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 22 Jun 2011 14:44:44 +0200
- To: "WebApps WG" <public-webapps@w3.org>, "Jonas Sicking" <jonas@sicking.cc>
Currently when making a preflight request user agents are required to include "content-type" in the Access-Control-Request-Headers header if the author specified a Content-Type header. However, this Content-Type header included in the actual request can contain a header value allowed by "simple headers", such as "text/plain". Is it a problem that the server cannot distinguish which Content-Type header is meant? The primary reason for the preflight request is awareness, but it still strikes me as icky. There is one other problem noted by sicking on the WHATWG list. Namely that Content-Type can also be set by the user agent. E.g. based on the File object passed to the send() method in XMLHttpRequest. So I think I will update the places where CORS compares "author request headers" (I renamed "custom request headers" as "author" is clearer and "custom" caused confusion) against "simple headers" to also compare the Content-Type header (if set by the user agent) against "simple headers". Does that make sense? -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 22 June 2011 12:45:25 UTC