W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

[CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Wed, 27 Jul 2011 17:32:50 +0100
Message-ID: <CA+dqsRJiP1kUXtsOXov-YtZkpUEq75E_jBf9VtqgN=qnhuEgHg@mail.gmail.com>
To: public-webapps@w3.org, annevk@opera.com, satish.cattamanchi@gmail.com
Hi guys,

I'm the maintainer of CORS Filter, a small library for retrofitting
Java web apps with CORS support.

A developer who is using the library reported that the library was
unexpectedly denying CORS requests from version 13 (still in beta)
Google Chrome browsers. He contacted Google support and was informed
that Chrome 13 is including "Origin" in the
"Access-Control-Request-Headers" field.

Is this browser behaviour proper according to the CORS protocol?

My understanding of the CORS spec is that
"Access-Control-Request-Headers" is meant only for custom headers
appended to the XHR request by means of its "setRequestHeader" method.
Is this so?

My tests have also shown that FF, Safari, IE and also Chrome (up to
version 12) do not include "Origin" in the
"Access-Control-Request-Headers" header of outgoing CORS requests.



Vladimir Dzhuvinov :: vladimir@dzhuvinov.com

http://NimbusDS.com :: Nimble directory services for web and cloud applications
Received on Wednesday, 27 July 2011 16:33:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:23 UTC