- From: Per-Erik Brodin <per-erik.brodin@ericsson.com>
- Date: Tue, 21 Jun 2011 16:08:01 +0200
On 2011-06-20 21:28, Jonas Sicking wrote: > On Mon, Jun 20, 2011 at 7:13 AM, Per-Erik Brodin > <per-erik.brodin at ericsson.com> wrote: >> On 2011-06-20 12:53, Jonas Sicking wrote: >>> >>> Headers that the implementation adds doesn't need to be added to this >>> list. For example the "Host" header is set by the browser in almost >>> all situations, but it does not need to be added to the list of >>> "simple headers". Indeed, adding in there would an out right bad idea. >>> >>> So I'm not convinced that the Last-Event-ID header needs to be in the >>> list. >> >> Only "custom request headers" are matched against the list of "simple >> headers" and "Host" is not a custom header set by the EventSource >> implementation, hence there is no need to add it to the list. >> >> In XHR Level 2 the custom request headers are the "author request headers". >> An option would be to always match the list of simple headers against author >> request headers only. > > It seems like you are saying exactly what I was saying? Am I missing something? What I am saying is that currently CORS defines "custom request headers" and that can be interpreted as all headers that are set by the API implementations (such as "Last-Event-ID" set by EventSource but not including the headers normally set by the HTTP loader, such as "Host"), regardless if they are author supplied or not. Since this has the downside that all new specifications that want to use CORS will have to rely on the CORS spec being updated if any new custom headers are going to be used, I agree with your proposal to match only author supplied headers against the list of simple headers. //Per-Erik
Received on Tuesday, 21 June 2011 07:08:01 UTC