Re: [cors] The case of Http Headers in Access-Control-Request-Headers from Boris Zbarsky on 2011-12-22 (public-webapps@w3.org from October to December 2011)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 21 Dec 2011 21:58:01 -0500
To: public-webapps@w3.org
Message-ID: <4EF29CB9.80702@mit.edu>

On 12/21/11 9:43 PM, Benson Margulies wrote:
> I just made a small discovery;
>
> Chrome 16 sends, e.g.
>
>    Access-Control-Request-Headers: Content-Type
>
> Firefox 8.0 sends, contrastively:
>
>    Access-Control-Request-Headers: content-type
>
> Given the requirement for case-sensitive comparison in the spec

Where?

http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html section 6.2 step 6 
says:

   If any of the header field-names is not a ASCII case-insensitive
   match for any of the values in list of headers do not set any
   additional headers and terminate this set of steps.

so the comparison is ASCII case-insensitive.  That's as far as server 
requirements.

 > this to me suggests that one of them is wrong. Which?

As far as requirements on the browser go, the relevant part is section 
7.1.5 step 1 second list item 2, which says:

   If author request headers is not empty include an
   Access-Control-Request-Headers header with as header field value
   a comma-separated list of the header field names from author
   request headers in lexicographical order, each converted to
   ASCII lowercase (even when one or more are a simple header).

So what Firefox is doing is correct, and what Chrome is doing is wrong.

-Boris

Received on Thursday, 22 December 2011 02:58:43 UTC