W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Feb 2015 12:20:38 -0800
Message-ID: <CA+c2ei_sMTwN4ho9JztTPQBwxoGfxTFxsqMz2iMxnXZh1W7kkg@mail.gmail.com>
To: Dale Harvey <dale@arandomurl.com>
Cc: Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>
On Thu, Feb 19, 2015 at 4:49 AM, Dale Harvey <dale@arandomurl.com> wrote:
>> so presumably it is OK to set the Content-Type to text/plain
> Thats not ok, but may explain my confusion, is Content-Type considered a
> Custom Header that will always trigger a preflight? if so then none of the
> caching will apply, CouchDB requires sending the appropriate content-type

We most likely can consider the content-type header as *not* "custom".
I was one of the people way back when that pointed out that there's a
theoretical chance that allowing arbitrary content-type headers could
cause security issues. But it seems highly theoretical.

I suspect that the mozilla security team would be fine with allowing
arbitrary content-types to be POSTed though. Worth asking. I can't
speak for other browser vendors of course.

/ Jonas
Received on Thursday, 19 February 2015 20:21:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC