- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 19 Feb 2015 02:50:12 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
On Thu, Feb 19, 2015 at 2:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Feb 19, 2015 at 11:43 AM, Brian Smith <brian@briansmith.org> wrote: >> 1. Preflight is only necessary for a subset of CORS requests. >> Preflight is never done for GET or HEAD, and you can avoid preflight >> for POST requests by making your API accept data in a format that >> matches what HTML forms post. Therefore, we're only talking about PUT, >> DELETE, less common forms of POST, and other less commonly-used >> methods. > > Euh, if you completely ignore headers, sure. But most HTTP APIs will > use some amount of custom headers, meaning *all* methods require a > preflight. Is it really true that most HTTP APIs will sue some amount of custom headers? And, is is it necessary for these APIs to be designed such that the custom headers are required? Cheers, Brian
Received on Thursday, 19 February 2015 10:50:39 UTC