W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: preflighted CORS requests and redirects: principally impossible?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 24 Jan 2016 05:38:52 -0800
Message-ID: <CADnb78j7x9aceRph=ui+Qi0AKe9ReUWoXbwnQBdvrdX79AtECg@mail.gmail.com>
To: Nico Schlömer <nico.schloemer@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, André Gaul <andre@paperhive.org>
On Fri, Jan 22, 2016 at 7:54 AM, Nico Schlömer <nico.schloemer@gmail.com> wrote:
> Count this as a +1. :)
> (We'll now have to make a decision for our API to be RESTful or to be
> accessible for clients that implement the fetch specification. :/)

I think you are right that maybe the time has come to do this. We also
added Access-Control-Expose-Headers at the request of the HTTP
community and as far as I can tell this is the only thing where there
is still a big gap with respect to what HTTP can do and what HTTP
combined with CORS can do.

I suggest we continue this thread in
https://github.com/whatwg/fetch/issues/204. As noted there it seems
that the current specification has already removed this gap. Not
entirely sure yet whether that is intentional or not, but from cursory
reading it seems to work. Will likely investigate a week from now,
when I'm back home, unless someone else volunteers.

Received on Sunday, 24 January 2016 13:39:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC