Possible error in the "Cross-Origin Resource Sharing" specification, version "http://www.w3.org/TR/2014/REC-cors-20140116/" from Mikko Östlund on 2017-08-11 (public-webappsec@w3.org from August 2017)

From: Mikko Östlund <mikko.ostlund@gmail.com>
Date: Fri, 11 Aug 2017 10:10:44 +0200
To: public-webappsec@w3.org
Message-ID: <CAHSjBeWKqDYbguAQhy2rv1VXQ10kvk8cx12VeMCYCw+nzcfCDw@mail.gmail.com>

To whom it may concern,

I believe there may be an error in the "Cross-Origin Resource Sharing"
specification,
as of version "http://www.w3.org/TR/2014/REC-cors-20140116/".

In subsection 6.2, step 10, there is a note reading:

"*Since the list of headers can be unbounded, simply returning supported
headers from Access-Control-Allow-Headers can be enough.*"

I believe it should read:

"*Since the list of headers can be unbounded, simply returning supported
headers from Access-Control-Request-Headers can be enough.*"

Best regards,

Mikko Östlund
Stockholm, Sweden

E-mail: mikko.ostlund@gmail.com

Received on Monday, 14 August 2017 16:24:04 UTC