- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 27 Jul 2011 09:44:03 -0700
- To: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Cc: public-webapps@w3.org, annevk@opera.com, satish.cattamanchi@gmail.com
On Wed, Jul 27, 2011 at 9:32 AM, Vladimir Dzhuvinov <vladimir@dzhuvinov.com> wrote: > Hi guys, > > I'm the maintainer of CORS Filter, a small library for retrofitting > Java web apps with CORS support. > > A developer who is using the library reported that the library was > unexpectedly denying CORS requests from version 13 (still in beta) > Google Chrome browsers. He contacted Google support and was informed > that Chrome 13 is including "Origin" in the > "Access-Control-Request-Headers" field. > > Is this browser behaviour proper according to the CORS protocol? > > My understanding of the CORS spec is that > "Access-Control-Request-Headers" is meant only for custom headers > appended to the XHR request by means of its "setRequestHeader" method. > Is this so? > > My tests have also shown that FF, Safari, IE and also Chrome (up to > version 12) do not include "Origin" in the > "Access-Control-Request-Headers" header of outgoing CORS requests. Your understanding is correct. Similarly headers such as "User-Agent", "Host" and "Referer" aren't listed in "Access-Control-Request-Headers". Nor is the "Access-Control-Request-Headers" header itself. We recently clarified this in the CORS spec as I recall it. / Jonas
Received on Wednesday, 27 July 2011 16:45:14 UTC