28861 2015-06-28 18:28:57 +0000 Section 6.2 Preflight Request, step 10, second note: "Access-Control-Allow-Headers" instead of "Access-Control-Request-Headers" 2015-07-01 17:48:28 +0000 1 1 1 Unclassified WebAppsSec CORS unspecified All All NEW P2 normal --- 1 claude.pache annevk hillbrad mike public-webappsec wseltzer dave.null oldest_to_newest 121514 0 claude.pache 2015-06-28 18:28:57 +0000 In http://www.w3.org/TR/cors/#resource-preflight-requests Section 6.2 Preflight Request, step 10, second Note: "Since the list of headers can be unbounded, simply returning supported headers from Access-Control-Allow-Headers can be enough." s/Access-Control-Allow-Headers/Access-Control-Request-Headers/ 121521 1 annevk 2015-06-29 09:32:53 +0000 1) That document is obsolete, use https://fetch.spec.whatwg.org/ instead. 2) If we do any kind of fix here, removing that statement would be better since that proposed fix does not really make it any better. 121530 2 claude.pache 2015-06-30 09:41:34 +0000 > 1) That document is obsolete, use https://fetch.spec.whatwg.org/ instead. Thanks for the information. An issue is that (1) there is no clue in the w3c document suggesting that it should be considered as obsolete, and (2) references found on the web routinely refers to the w3c document as "the CORS specification" without mentioning the whatwg document. 121531 3 annevk 2015-06-30 09:45:53 +0000 Brad, can we mark CORS as obsolete? Or update it to point to the latest version? I keep getting private emails about it too suggesting we're wasting a lot of people their time.