W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2017

Possible error in the "Cross-Origin Resource Sharing" specification, version "http://www.w3.org/TR/2014/REC-cors-20140116/"

From: Mikko Östlund <mikko.ostlund@gmail.com>
Date: Fri, 11 Aug 2017 10:10:44 +0200
Message-ID: <CAHSjBeWKqDYbguAQhy2rv1VXQ10kvk8cx12VeMCYCw+nzcfCDw@mail.gmail.com>
To: public-webappsec@w3.org
To whom it may concern,

I believe there may be an error in the "Cross-Origin Resource Sharing"
specification,
as of version "http://www.w3.org/TR/2014/REC-cors-20140116/".

In subsection 6.2, step 10, there is a note reading:

"*Since the list of headers can be unbounded, simply returning supported
headers from Access-Control-Allow-Headers can be enough.*"

I believe it should read:

"*Since the list of headers can be unbounded, simply returning supported
headers from Access-Control-Request-Headers can be enough.*"

Best regards,

Mikko Östlund
Stockholm, Sweden

E-mail: mikko.ostlund@gmail.com
Received on Monday, 14 August 2017 16:24:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC