- From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Date: Wed, 27 Jul 2011 17:32:50 +0100
- To: public-webapps@w3.org, annevk@opera.com, satish.cattamanchi@gmail.com
Hi guys, I'm the maintainer of CORS Filter, a small library for retrofitting Java web apps with CORS support. A developer who is using the library reported that the library was unexpectedly denying CORS requests from version 13 (still in beta) Google Chrome browsers. He contacted Google support and was informed that Chrome 13 is including "Origin" in the "Access-Control-Request-Headers" field. Is this browser behaviour proper according to the CORS protocol? My understanding of the CORS spec is that "Access-Control-Request-Headers" is meant only for custom headers appended to the XHR request by means of its "setRequestHeader" method. Is this so? My tests have also shown that FF, Safari, IE and also Chrome (up to version 12) do not include "Origin" in the "Access-Control-Request-Headers" header of outgoing CORS requests. Greetings, Vladimir -- Vladimir Dzhuvinov :: vladimir@dzhuvinov.com http://NimbusDS.com :: Nimble directory services for web and cloud applications
Received on Wednesday, 27 July 2011 16:33:18 UTC