19315 2012-10-07 04:45:27 +0000 Last-Event-ID header should be a simple header 2013-10-28 14:19:28 +0000 1 1 1 Unclassified WebAppsSec CORS unspecified PC Windows 3.1 RESOLVED DUPLICATE 17042 P2 normal --- 1 vic99999 annevk mike public-webappsec dave.null oldest_to_newest 75501 0 vic99999 2012-10-07 04:45:27 +0000 "Last-Event-ID" header, used by EventSource - http://dev.w3.org/html5/eventsource/ , should be a simple header EventSource already allows CORS with this header without preflight http://hg.mozilla.org/releases/mozilla-release/file/dc25520cbe46/content/base/src/nsXMLHttpRequest.cpp#l3277 Thanks P.S. Seems, Firefox allows to use this headers for simple CORS request: accept, accept-language, content-language, content-type, last-event-id And Webkit allows: accept, accept-language, content-language, content-type, origin, referer 76104 1 annevk 2012-10-12 13:44:28 +0000 That EventSource uses it does not mean everyone should be allowed to use it without preflight. It's just part of the EventSource protocol; it's not an author request header. 76106 2 vic99999 2012-10-12 14:43:23 +0000 EventSource can not be polyfilled with XMLHttpRequest without it. If EventSource can do this with CORS and passing through redirects, then there is no risks. What is a main problem to include this header in simples headers list? 76107 3 annevk 2012-10-12 14:57:27 +0000 Isn't it too late to polyfill? EventSource is much more limited in scope than XMLHttpRequest is, so there is some (largely theoretical) risk. I don't really mind either way, I suggest talking to some implementors. 76115 4 vic99999 2012-10-12 16:16:08 +0000 >>Isn't it too late to polyfill? I think, it is not. 80333 5 annevk 2012-12-18 11:02:05 +0000 We decided at the F2F that we do not want to expand the list of simple headers. We want to make CORS more stable and this proposal does not have much merit (EventSource is in almost all browsers already, and in those it is not Last-Event-ID is not a simple header either so that doesn't help either way), and therefore is rejected. 95433 6 annevk 2013-10-28 14:19:28 +0000 *** This bug has been marked as a duplicate of bug 17042 ***