- From: <bugzilla@jessica.w3.org>
- Date: Thu, 22 Dec 2011 10:26:19 +0000
- To: public-webappsec@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=15312 Summary: lowercasing requirement for Access-Control-Request-Headers harmful Product: WebAppsSec Version: unspecified Platform: All URL: http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html# cross-origin-request-with-preflight-0 OS/Version: All Status: NEW Severity: normal Priority: P2 Component: CORS AssignedTo: annevk@opera.com ReportedBy: julian.reschke@gmx.de QAContact: dave.null@w3.org CC: mike@w3.org, public-webappsec@w3.org "If author request headers is not empty include an Access-Control-Request-Headers header with as header field value a comma-separated list of the header field names from author request headers in lexicographical order, each converted to ASCII lowercase (even when one or more are a simple header)." The requirement to lower-case header field names is harmful; it introduces an inconsistency with other HTTP header fields (Vary, Connection) that is not needed, as header field names are supposed to compared case-insensitively anyway. -- Configure bugmail: https://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Thursday, 22 December 2011 10:26:42 UTC