- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 15 Feb 2012 02:05:36 -0500
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org, Adam Barth <abarth@gmail.com>, Odin Hørthe Omdal <odinho@opera.com>
On Tue, Feb 14, 2012 at 12:38 PM, Anne van Kesteren <annevk@opera.com> wrote: > On Thu, 22 Dec 2011 17:05:08 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote: >> >> No, what I mean is this. Say we enter >> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request >> with the following state: >> >> * "force preflight" flag is true >> * Request method is simple method >> * No author request headers >> * Empty preflight cache (not that this matters) >> >> The spec says we should "follow the cross-origin request with preflight >> algorithm." >> >> Following that link, it says: >> >> Go to the next step if the following conditions are true: >> >> For request method there either is a method cache match or it is a >> simple method. >> >> For every header of author request headers there either is a header >> cache match for the field name or it is a simple header. >> >> Since the method is a simple method and there are no author request >> headers, we skip the preflight and go on to the main request. >> >> Now it's possible that I simply don't understand what this flag is >> _supposed_ to do or that I'm missing something.... > > > So the idea behind the force preflight flag is that there's a preflight > request if upload event listeners are registered, because otherwise you can > determine the existence of a server. Now the obvious way to fix CORS would > be to add an additional condition in the text you quoted above, namely that > the force preflight flag is unset; however, that would mean that caching is > bypassed too. Just add the "force preflight flag is unset" condition to only the "is simple method" check. That way a cache hit still counts prevents a preflight even if the force-flag is set. Note that a cache hit can only happen if a preflight-check has been successful *from the requesting origin*. So things should still be safe. At least that's how we have it implemented in Firefox. / Jonas
Received on Wednesday, 15 February 2012 07:06:34 UTC