- From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
- Date: Wed, 27 Jul 2011 22:19:26 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: public-webapps@w3.org, annevk@opera.com, satish.cattamanchi@gmail.com
On 27 July 2011 17:44, Jonas Sicking <jonas@sicking.cc> wrote: > On Wed, Jul 27, 2011 at 9:32 AM, Vladimir Dzhuvinov > <vladimir@dzhuvinov.com> wrote: >> Hi guys, >> >> I'm the maintainer of CORS Filter, a small library for retrofitting >> Java web apps with CORS support. >> >> A developer who is using the library reported that the library was >> unexpectedly denying CORS requests from version 13 (still in beta) >> Google Chrome browsers. He contacted Google support and was informed >> that Chrome 13 is including "Origin" in the >> "Access-Control-Request-Headers" field. >> >> Is this browser behaviour proper according to the CORS protocol? >> >> My understanding of the CORS spec is that >> "Access-Control-Request-Headers" is meant only for custom headers >> appended to the XHR request by means of its "setRequestHeader" method. >> Is this so? >> >> My tests have also shown that FF, Safari, IE and also Chrome (up to >> version 12) do not include "Origin" in the >> "Access-Control-Request-Headers" header of outgoing CORS requests. > > Your understanding is correct. Similarly headers such as "User-Agent", > "Host" and "Referer" aren't listed in > "Access-Control-Request-Headers". Nor is the > "Access-Control-Request-Headers" header itself. > > We recently clarified this in the CORS spec as I recall it. Thank you Jonas for setting this straight. I carefully examined the bits of the CORS spec (edition http://www.w3.org/TR/2010/WD-cors-20100727/ ) relevant to the Access-Control-Request-Header. Those who understand the case for CORS and what led to its development will probably have no problem getting the intended meaning of this header. However, to a programmer who is rushing to implement CORS and is following the spec by the word this may not be so obvious. My suggestion is to add a few lines to section 4.9 to be more explicit on the actual intent of the Access-Control-Request-Header so others don't do a similar mistake again. As for Google, I hope the guys at Chrome will be able to rectify their mistake before version 13 is officially shipped. Cheers, Vladimir -- Vladimir Dzhuvinov :: vladimir@dzhuvinov.com http://NimbusDS.com :: Nimble directory services for web and cloud applications
Received on Wednesday, 27 July 2011 21:20:03 UTC