ISSUE-73: Opting into methods/headers

Opting into methods/headers

HISTORICAL: CORS [this spec uses Bugzilla for Bug/Issue tracking]
Raised by:
Anne van Kesteren
Opened on:
The current Access Control model allows all methods to be used and all headers (apart from a blacklist and some headers require a preflight request in case of GET).

There is a proposal to only allow methods and headers the server has opted into:

[AC] Helping server admins not making mistakes

This would make the server more secure by default when opting into Access Control.

The drawback is again that it makes the model more complicated and more prone to bugs.
Related Actions Items:
No related actions
Related emails:
  1. Re: Call for Exclusions: DOM Parsing and Serialization (from on 2013-12-10)

Related notes:

Moved to Issue #14 in the Web Application WG's Issues database:

23 Jun 2008, 19:46:49

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 73.html,v 1.1 2016/01/25 10:26:23 carine Exp $