[cors] Content-Type

Currently when making a preflight request user agents are required to  
include "content-type" in the Access-Control-Request-Headers header if the  
author specified a Content-Type header. However, this Content-Type header  
included in the actual request can contain a header value allowed by  
"simple headers", such as "text/plain". Is it a problem that the server  
cannot distinguish which Content-Type header is meant? The primary reason  
for the preflight request is awareness, but it still strikes me as icky.

There is one other problem noted by sicking on the WHATWG list. Namely  
that Content-Type can also be set by the user agent. E.g. based on the  
File object passed to the send() method in XMLHttpRequest. So I think I  
will update the places where CORS compares "author request headers" (I  
renamed "custom request headers" as "author" is clearer and "custom"  
caused confusion) against "simple headers" to also compare the  
Content-Type header (if set by the user agent) against "simple headers".

Does that make sense?

Anne van Kesteren

Received on Wednesday, 22 June 2011 12:45:25 UTC