Re: [CORS] Does "Origin" have to be included in the "Access-Control-Request-Headers" field?

On Sat, 2011-12-17 at 16:10 +0100, Anne van Kesteren wrote:
> On Fri, 29 Jul 2011 14:25:07 +0200, Vladimir Dzhuvinov  
> <vladimir@dzhuvinov.com> wrote:
> > Regarding "6. Resource processing model": [item 3] "A list of headers
> > consisting of zero or more header field names that are supported by
> > the resource.":
> >
> > Is this list supposed to be
> >
> > 1) of the non-simple headers only - as per
> > http://dev.w3.org/2006/waf/access-control/#simple-header or
> >
> > 2) of all supported headers that the author may choose to set,
> > including those that qualify as simple?
> >
> > Because right now the Java CORS filter expects to receive only
> > non-simple headers in "Access-Control-Request-Headers", and if for
> > some reason the browser has decided to include a simple header, e.g.
> > "Accept", in the preflight request it won't be allowed to proceed.
> 
> My apologies for forgetting to reply to this message. Fortunately it was  
> still somewhere in my inbox! It seems your Java CORS filter has a bug as  
> simple headers can be included there (for consistency).

This and a few other issues with the CORS Filter were sorted out last
year thanks to user feedback and patches.


Happy new year, Anne!


-- 
Vladimir Dzhuvinov :: vladimir@dzhuvinov.com

Received on Monday, 9 January 2012 15:18:44 UTC