- From: Jarred Nicholls <jarred@webkit.org>
- Date: Wed, 21 Dec 2011 23:50:38 -0500
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: public-webapps@w3.org
- Message-ID: <CANufG2P48wTtfGobNE+iBkqbrYZLor2sAxBYmqfPFEG4kX6BCw@mail.gmail.com>
On Wed, Dec 21, 2011 at 11:37 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 12/21/11 11:28 PM, Jarred Nicholls wrote: > >> I'll try this again... >> >> The spec makes it very succinct in its preflight request steps that >> Access-Control-Request-Method should be sent, always. However in WebKit >> and Firefox I'm observing this header only being sent when there are >> "author request headers" being sent in Access-Control-Request-**Headers. >> Is the spec not clear in these steps, or are we all just doing it >> wrong? :) >> > > I'd like to understand your testcase. > > Looking at the Firefox code for this, Access-Control-Request-Method is > always sent when a preflight is done. > > What might be confusing the issue is that preflights are not always done, > maybe? A preflight, per http://dvcs.w3.org/hg/cors/** > raw-file/tip/Overview.html#**cross-origin-request<http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request>is done in the following cases: > > 1) The "force preflight" flag is set. > 2) The request method is not a simple method. > Ack I was using POST but I meant to use PUT. You're all over it, thanks. I'll go to bed now :-p > 3) There is an author request header that's not a simple header. > > (though it looks to me like item 1 is broken by the actual algorithm for > doing a "cross-origin request with preflight"; Anne?) > > In any case, if you're using XHR then #1 is likely not relevant, and if > you use a GET method then you have a simple method. So the only thing that > would trigger preflights are author request headers that are not simple > headers. > > -Boris > >
Received on Thursday, 22 December 2011 04:51:27 UTC