Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

On 27 July 2011 22:34, Anne van Kesteren <> wrote:
> <> wrote:
>> I carefully examined the bits of the CORS spec (edition
>> ) relevant to the
>> Access-Control-Request-Header.
> Could you please review instead?
> The TR/ version is (always) out of date.

Thanks Anne, "author request headers" sounds more to the point than
the previous "custom request headers".

Regarding "6. Resource processing model": [item 3] "A list of headers
consisting of zero or more header field names that are supported by
the resource.":

Is this list supposed to be

1) of the non-simple headers only - as per or

2) of all supported headers that the author may choose to set,
including those that qualify as simple?

Because right now the Java CORS filter expects to receive only
non-simple headers in "Access-Control-Request-Headers", and if for
some reason the browser has decided to include a simple header, e.g.
"Accept", in the preflight request it won't be allowed to proceed.


Vladimir Dzhuvinov :: :: Nimble directory services for web and cloud applications

Received on Friday, 29 July 2011 12:25:34 UTC