W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: [CORS] Understanding the definition of simple headers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 21 Aug 2013 15:07:57 +0100
Message-ID: <CADnb78iVTK_XQKBztXFQvYX5GsLkQTQqrQ5Z4d7UXaUifWUBmQ@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Aug 21, 2013 at 6:12 AM, Monsur Hossain <monsur@gmail.com> wrote:
> The latest CORS spec defines the simple headers as Accept, Accept-Language
> and Content-Language. However the spec doesn't provide any insight into why
> these particular headers are special. What is the motivation for defining
> these as simple headers? My initial assumption was that a preflight was
> required for any cross-origin request that couldn't be done before the CORS
> spec existed. But its not clear to me how an author could set these simple
> headers on cross-origin requests before CORS.

Accept is pretty random due to plugins. Accept-Language and
Content-Language I guess we considered safe enough. Not sure there was
any particularly strong rationale...

Received on Wednesday, 21 August 2013 14:08:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC