W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: [CORS] Understanding the definition of simple headers

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 21 Aug 2013 08:42:39 -0700
Message-ID: <CAEeYn8g6V0jNLBy-Aop7UqLpzQqbWhzU__JE45wuUKHF2mwHEw@mail.gmail.com>
To: Monsur Hossain <monsur@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The security considerations section discusses that the difference between
simple and non-simple isn't defined by any internal logic, but by
consistency with what existing pre-CORS user agents could already do
cross-origin.

If it was an existing capability of user agents that existing servers had
to be prepared for, it was a "simple" request.  Any new cross-origin
capabilities had to be gated behind a pre-flight check so that CORS
wouldn't be creating additional risk to deployed servers.

In the end, it looks somewhat arbitrary because it reflects the vagaries of
the evolution in the previous 15 years of the Web platform.


On Tue, Aug 20, 2013 at 10:12 PM, Monsur Hossain <monsur@gmail.com> wrote:

> The latest CORS spec defines the simple headers as Accept, Accept-Language
> and Content-Language. However the spec doesn't provide any insight into why
> these particular headers are special. What is the motivation for defining
> these as simple headers? My initial assumption was that a preflight was
> required for any cross-origin request that couldn't be done before the CORS
> spec existed. But its not clear to me how an author could set these simple
> headers on cross-origin requests before CORS.
>
> Thanks,
> Monsur
>
>
Received on Wednesday, 21 August 2013 15:43:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC