16841 2012-04-24 17:52:20 +0000 Expected use of Origin HTTP header 2012-10-15 23:54:58 +0000 1 1 1 Unclassified HTML WG HTML5 spec unspecified PC Windows NT CLOSED FIXED P2 normal --- 1 Pat_Ladd2 silviapfeiffer1 annevk b.lund cmhjones eoconnor mark_vickers mike odinho public-html-admin public-html-wg-issue-tracking public-html-bugzilla oldest_to_newest 66986 0 Pat_Ladd2 2012-04-24 17:52:20 +0000 Section 2.7.6 "CORS-enabled fetch" executes the CORS "resource sharing check" which fails if the server did not include an Access-Control-Allow-Origin header in the response to the request. This implies that if the user agent did not send an Origin header the resource sharing check will fail and cause the potentially CORS-enabled fetch to taint or fail depending on the mode. In order to clarify the expectation, one possible solution is a statement describing what happens when the Origin header is not sent by the user agent. For example, add a sentence at the end of the first paragraph in section 2.7.6 that states, "If the user agent did not include an Origin header in the request, then the result of the potentially CORS-enabled fetch is success as defined for URL has the same origin as origin." 66989 1 annevk 2012-04-24 20:23:48 +0000 The expectation would be that it is tainted. 66991 2 Pat_Ladd2 2012-04-24 20:35:55 +0000 Are you saying a clarification isn't needed or the recommended statement should indicate taint rather than success? > The expectation would be that it is tainted. 66992 3 annevk 2012-04-24 20:39:41 +0000 Clarification might be nice, although user agents that do not implement CORS seem somewhat broken to me, but you can definitely never get more sharing without CORS than with. It should be either tainted or result in failure. 67114 4 mark_vickers 2012-04-26 19:22:03 +0000 (In reply to comment #3) > Clarification might be nice, although user agents that do not implement CORS > seem somewhat broken to me, So, why don't we require CORS? 67474 5 odinho 2012-05-08 12:47:45 +0000 Hmm. What are you more specifically asking about? The user agent always sends a Origin-header if it's doing a CORS-enabled fetch. http://dev.w3.org/html5/spec/urls.html#cors-enabled-fetch So e.g. <img src=cross> will always show you the picture, but it'll be tainted because that's the default - AFAIK it won't send a origin-header because you it's mode is "No CORS". <img src=cross crossorigin>, however, will take a different branch and do a real cross-fetch (either success or fail). <img src=same crossorigin> will go into the first branch, but will restart the algorithm if it's redirected to cross. So all real cross-domain uses should be sending an Origin-header, AFAICS. 67590 6 Pat_Ladd2 2012-05-10 23:40:33 +0000 The user agent may always send an Origin header when doing a CORS-enabled fetch, but I don't see where the CORS or HTML5 specifications mandate use of that header. I thought there might be reluctance to add such a requirement so the initial proposal was to clarify what happens when the user agent does not send an Origin header. I'm hopeful the editors will acknowledge that lack of clarity and either accept or make counter proposals to the suggestions. 70157 7 contributor 2012-07-18 07:01:25 +0000 This bug was cloned to create bug 17843 as part of operation convergence. 75152 8 eoconnor 2012-10-02 23:27:33 +0000 Silvia, this has been fixed in WHATWG revision r7414. 75720 9 Pat_Ladd2 2012-10-09 19:14:37 +0000 Fixed by the resolution for bug 17843. 75740 10 Pat_Ladd2 2012-10-09 22:43:01 +0000 Fixed by the resolution for bug 17843. 75745 11 Pat_Ladd2 2012-10-09 22:52:43 +0000 Jumped the gun, needs to be fixed in HTML5 as well. 76241 12 silviapfeiffer1 2012-10-14 12:33:11 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the Editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the Tracker Issue; or you may create a Tracker Issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy-v2.html Status: Accepted Change Description: https://github.com/w3c/html/commit/f43ac3f0bce8b57f8f7c8891de4093296c049852 Rationale: accepted WHATWG change 76346 13 Pat_Ladd2 2012-10-15 23:54:58 +0000 Verified changes made to WHATWG HTML Living Standard for this issue also made in W3C HTML5 specification.