Re: [CORS] Access-Control-Request-Method

On Tue, Feb 14, 2012 at 12:38 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 22 Dec 2011 17:05:08 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>>
>> No, what I mean is this. †Say we enter
>> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request
>> with the following state:
>>
>> * "force preflight" flag is true
>> * Request method is simple method
>> * No author request headers
>> * Empty preflight cache (not that this matters)
>>
>> The spec says we should "follow the cross-origin request with preflight
>> algorithm."
>>
>> Following that link, it says:
>>
>> † Go to the next step if the following conditions are true:
>>
>> † † For request method there either is a method cache match or it is a
>> † † simple method.
>>
>> † † For every header of author request headers there either is a header
>> † † cache match for the field name or it is a simple header.
>>
>> Since the method is a simple method and there are no author request
>> headers, we skip the preflight and go on to the main request.
>>
>> Now it's possible that I simply don't understand what this flag is
>> _supposed_ to do or that I'm missing something....
>
>
> So the idea behind the force preflight flag is that there's a preflight
> request if upload event listeners are registered, because otherwise you can
> determine the existence of a server. Now the obvious way to fix CORS would
> be to add an additional condition in the text you quoted above, namely that
> the force preflight flag is unset; however, that would mean that caching is
> bypassed too.

Just add the "force preflight flag is unset" condition to only the "is
simple method" check. That way a cache hit still counts prevents a
preflight even if the force-flag is set.

Note that a cache hit can only happen if a preflight-check has been
successful *from the requesting origin*. So things should still be
safe.

At least that's how we have it implemented in Firefox.

/ Jonas

Received on Wednesday, 15 February 2012 07:06:34 UTC