- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 17 Dec 2011 16:10:28 +0100
- To: "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
- Cc: "Jonas Sicking" <jonas@sicking.cc>, public-webapps@w3.org, satish.cattamanchi@gmail.com
On Fri, 29 Jul 2011 14:25:07 +0200, Vladimir Dzhuvinov <vladimir@dzhuvinov.com> wrote: > Regarding "6. Resource processing model": [item 3] "A list of headers > consisting of zero or more header field names that are supported by > the resource.": > > Is this list supposed to be > > 1) of the non-simple headers only - as per > http://dev.w3.org/2006/waf/access-control/#simple-header or > > 2) of all supported headers that the author may choose to set, > including those that qualify as simple? > > Because right now the Java CORS filter expects to receive only > non-simple headers in "Access-Control-Request-Headers", and if for > some reason the browser has decided to include a simple header, e.g. > "Accept", in the preflight request it won't be allowed to proceed. My apologies for forgetting to reply to this message. Fortunately it was still somewhere in my inbox! It seems your Java CORS filter has a bug as simple headers can be included there (for consistency). -- Anne van Kesteren http://annevankesteren.nl/
Received on Saturday, 17 December 2011 15:11:02 UTC