- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 14 Feb 2012 18:38:08 +0100
- To: "Boris Zbarsky" <bzbarsky@mit.edu>
- Cc: public-webapps@w3.org, "Adam Barth" <abarth@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>, Odin Hørthe Omdal <odinho@opera.com>
On Thu, 22 Dec 2011 17:05:08 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote: > No, what I mean is this. Say we enter > http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request > with the following state: > > * "force preflight" flag is true > * Request method is simple method > * No author request headers > * Empty preflight cache (not that this matters) > > The spec says we should "follow the cross-origin request with preflight > algorithm." > > Following that link, it says: > > Go to the next step if the following conditions are true: > > For request method there either is a method cache match or it is a > simple method. > > For every header of author request headers there either is a header > cache match for the field name or it is a simple header. > > Since the method is a simple method and there are no author request > headers, we skip the preflight and go on to the main request. > > Now it's possible that I simply don't understand what this flag is > _supposed_ to do or that I'm missing something.... So the idea behind the force preflight flag is that there's a preflight request if upload event listeners are registered, because otherwise you can determine the existence of a server. Now the obvious way to fix CORS would be to add an additional condition in the text you quoted above, namely that the force preflight flag is unset; however, that would mean that caching is bypassed too. How is this implemented in practice? Jonas, Adam, Odin, any ideas? -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 14 February 2012 17:38:41 UTC