Re: [cors] Should browsers send non-user-controllable headers in Access-Control-Request-Headers? from Benson Margulies on 2011-12-22 (public-webapps@w3.org from October to December 2011)

From: Benson Margulies <bimargulies@gmail.com>
Date: Thu, 22 Dec 2011 06:17:57 -0500
To: Jarred Nicholls <jarred@webkit.org>
Cc: public-webapps@w3.org
Message-ID: <CALhtWkcTxVAOXRk0tGLDyktGNCqoz9EaTv9-RpT6znNZ=xBcSg@mail.gmail.com>

On Wed, Dec 21, 2011 at 10:38 PM, Jarred Nicholls <jarred@webkit.org> wrote:
> On Wed, Dec 21, 2011 at 9:16 PM, Benson Margulies <bimargulies@gmail.com>
> wrote:
>>
>> Chrome sends:
>>
>> Access-Control-Request-Headers:Origin, Content-Type, Accept
>>
>> Is that just wrong?
>>
>
> The spec clearly says:  "author request headers: A list of headers set by
> authors for the request. Empty, unless explicitly set."  So WebKit

(something missing)?

>
> For me, Chrome 16 sends Origin + <all_my_specified_headers>, so Chrome is
> behaving incorrectly.  Safari 5.1.2 behaves correctly (though the header
> list is not lowercased), and Firefox behaves correctly.

Jarred, along the lines of my question of 'what is a user header',
what spec would one read to learn that lower-casing was correct? I
looked for it and did not find it in the CORS draft.

Received on Thursday, 22 December 2011 11:18:39 UTC