W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Fri, 29 Jul 2011 13:25:07 +0100
Message-ID: <CA+dqsRKFFB05_cnJSRuQmOudBc1yH1hSiVYAyaQKY1yxWuNKYg@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Jonas Sicking <jonas@sicking.cc>, public-webapps@w3.org, satish.cattamanchi@gmail.com
On 27 July 2011 22:34, Anne van Kesteren <annevk@opera.com> wrote:
> <vladimir@dzhuvinov.com> wrote:
>> I carefully examined the bits of the CORS spec (edition
>> http://www.w3.org/TR/2010/WD-cors-20100727/ ) relevant to the
>> Access-Control-Request-Header.
> Could you please review http://dev.w3.org/2006/waf/access-control/ instead?
> The TR/ version is (always) out of date.

Thanks Anne, "author request headers" sounds more to the point than
the previous "custom request headers".

Regarding "6. Resource processing model": [item 3] "A list of headers
consisting of zero or more header field names that are supported by
the resource.":

Is this list supposed to be

1) of the non-simple headers only - as per
http://dev.w3.org/2006/waf/access-control/#simple-header or

2) of all supported headers that the author may choose to set,
including those that qualify as simple?

Because right now the Java CORS filter expects to receive only
non-simple headers in "Access-Control-Request-Headers", and if for
some reason the browser has decided to include a simple header, e.g.
"Accept", in the preflight request it won't be allowed to proceed.


Vladimir Dzhuvinov :: vladimir@dzhuvinov.com

http://NimbusDS.com :: Nimble directory services for web and cloud applications
Received on Friday, 29 July 2011 12:25:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:23 UTC