Re: [CORS] Access-Control-Request-Method from Boris Zbarsky on 2011-12-22 (public-webapps@w3.org from October to December 2011)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 22 Dec 2011 11:05:08 -0500
To: Anne van Kesteren <annevk@opera.com>
CC: public-webapps@w3.org
Message-ID: <4EF35534.2060401@mit.edu>

On 12/22/11 4:51 AM, Anne van Kesteren wrote:
> On Thu, 22 Dec 2011 05:37:35 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> What might be confusing the issue is that preflights are not always
>> done, maybe? A preflight, per
>> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request
>> is done in the following cases:
>>
>> 1) The "force preflight" flag is set.
>> 2) The request method is not a simple method.
>> 3) There is an author request header that's not a simple header.
>>
>> (though it looks to me like item 1 is broken by the actual algorithm
>> for doing a "cross-origin request with preflight"; Anne?)
>
> If you mean that the cache is still honored maybe I should use a
> different name for "force preflight flag". Maybe "force cross-origin
> request with preflight flag"? The point is mostly that we should figure
> out the server if the server supports non-simple cross-origin requests
> for the given URL.

No, what I mean is this.  Say we enter 
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#cross-origin-request 
with the following state:

* "force preflight" flag is true
* Request method is simple method
* No author request headers
* Empty preflight cache (not that this matters)

The spec says we should "follow the cross-origin request with preflight 
algorithm."

Following that link, it says:

   Go to the next step if the following conditions are true:

     For request method there either is a method cache match or it is a
     simple method.

     For every header of author request headers there either is a header
     cache match for the field name or it is a simple header.

Since the method is a simple method and there are no author request 
headers, we skip the preflight and go on to the main request.

Now it's possible that I simply don't understand what this flag is 
_supposed_ to do or that I'm missing something....


>> In any case, if you're using XHR then #1 is likely not relevant,
>
> Actually it is:
> http://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#cross-origin-request-steps

Ah, interesting.  OK.

-Boris

Received on Thursday, 22 December 2011 16:05:38 UTC