Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field? from Vladimir Dzhuvinov on 2011-07-27 (public-webapps@w3.org from July to September 2011)

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Wed, 27 Jul 2011 22:19:26 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: public-webapps@w3.org, annevk@opera.com, satish.cattamanchi@gmail.com
Message-ID: <CA+dqsRK-U9Mmzi6m_+njtP1qk7KJjU4=5L_-FuSubD85wDhU_w@mail.gmail.com>

On 27 July 2011 17:44, Jonas Sicking <jonas@sicking.cc> wrote:
> On Wed, Jul 27, 2011 at 9:32 AM, Vladimir Dzhuvinov
> <vladimir@dzhuvinov.com> wrote:
>> Hi guys,
>>
>> I'm the maintainer of CORS Filter, a small library for retrofitting
>> Java web apps with CORS support.
>>
>> A developer who is using the library reported that the library was
>> unexpectedly denying CORS requests from version 13 (still in beta)
>> Google Chrome browsers. He contacted Google support and was informed
>> that Chrome 13 is including "Origin" in the
>> "Access-Control-Request-Headers" field.
>>
>> Is this browser behaviour proper according to the CORS protocol?
>>
>> My understanding of the CORS spec is that
>> "Access-Control-Request-Headers" is meant only for custom headers
>> appended to the XHR request by means of its "setRequestHeader" method.
>> Is this so?
>>
>> My tests have also shown that FF, Safari, IE and also Chrome (up to
>> version 12) do not include "Origin" in the
>> "Access-Control-Request-Headers" header of outgoing CORS requests.
>
> Your understanding is correct. Similarly headers such as "User-Agent",
> "Host" and "Referer" aren't listed in
> "Access-Control-Request-Headers". Nor is the
> "Access-Control-Request-Headers" header itself.
>
> We recently clarified this in the CORS spec as I recall it.

Thank you Jonas for setting this straight.

I carefully examined the bits of the CORS spec (edition
http://www.w3.org/TR/2010/WD-cors-20100727/ ) relevant to the
Access-Control-Request-Header. Those who understand the case for CORS
and what led to its development will probably have no problem getting
the intended meaning of this header. However, to a programmer who is
rushing to implement CORS and is following the spec by the word this
may not be so obvious.

My suggestion is to add a few lines to section 4.9 to be more explicit
on the actual intent of the Access-Control-Request-Header so others
don't do a similar mistake again. As for Google, I hope the guys at
Chrome will be able to rectify their mistake before version 13 is
officially shipped.

Cheers,

Vladimir
-- 
Vladimir Dzhuvinov :: vladimir@dzhuvinov.com

http://NimbusDS.com :: Nimble directory services for web and cloud applications

Received on Wednesday, 27 July 2011 21:20:03 UTC