[CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

Hi guys,

I'm the maintainer of CORS Filter, a small library for retrofitting
Java web apps with CORS support.

A developer who is using the library reported that the library was
unexpectedly denying CORS requests from version 13 (still in beta)
Google Chrome browsers. He contacted Google support and was informed
that Chrome 13 is including "Origin" in the
"Access-Control-Request-Headers" field.

Is this browser behaviour proper according to the CORS protocol?

My understanding of the CORS spec is that
"Access-Control-Request-Headers" is meant only for custom headers
appended to the XHR request by means of its "setRequestHeader" method.
Is this so?

My tests have also shown that FF, Safari, IE and also Chrome (up to
version 12) do not include "Origin" in the
"Access-Control-Request-Headers" header of outgoing CORS requests.



Vladimir Dzhuvinov :: vladimir@dzhuvinov.com

http://NimbusDS.com :: Nimble directory services for web and cloud applications

Received on Wednesday, 27 July 2011 16:33:18 UTC