W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Allow custom headers (Websocket API)

From: Takeshi Yoshino <tyoshino@google.com>
Date: Thu, 5 Feb 2015 22:55:55 +0900
Message-ID: <CAH9hSJY-oCuE22Yx1QZo7LXEYjR1PCeww8pyMu+_jf4bECfL8A@mail.gmail.com>
To: Florian Bösch <pyalot@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Michiel De Mey <de.mey.michiel@gmail.com>, WebApps WG <public-webapps@w3.org>

> 2. If the following conditions are true, follow the simple cross-origin
request algorithm:
> - The request method is a simple method and the force preflight flag is
> - Each of the author request headers is a simple header or author request
headers is empty.
> 3. Otherwise, follow the cross-origin request with preflight algorithm.


> request's unsafe request flag is set and either request's method is not a
simple method or a header in request's header list is not a simple header
>   Set request's response tainting to CORS.
>   The result of performing an HTTP fetch using request with the CORS flag
and CORS preflight flag set.

Authorization header is not a simple header.

On Thu, Feb 5, 2015 at 10:48 PM, Florian Bösch <pyalot@gmail.com> wrote:

> On Thu, Feb 5, 2015 at 2:44 PM, Takeshi Yoshino <tyoshino@google.com>
> wrote:
>> IIUC, CORS prevents clients from issuing non-simple cross-origin request
>> (even idempotent methods) without verifying that the server understands
>> CORS. That's realized by preflight.
> Incorrect, the browser will perform idempotent requests (for instance
> <img> or XHR GET) across domains without a preflight request. It will
> however not make the data available to the client (javascript specifically)

That's the tainting part.

> unless CORS is satisfied (XHR GET will error out, and <img> will throw a
> glError on gl.texImage2D if CORS isn't satisfied).
Received on Thursday, 5 February 2015 13:56:43 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC