This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Instead of treating Content-Type as a simple header it should be treated as a header that is checked irrespective of origin (whether set by author or UA). We should also look into unknown MIME type parameters.
I don't understand what this means. The Content-Type header is almost alway set for POST. Does this mean all POSTs should be preflighted?
It is about simple headers being only checked against headers set by authors, whereas Content-Type can also be set by the user agent (e.g. if you pass a File object to send()).
Ah, so you're saying we should always check it's value against the whitelist. Not just when it's set through setRequestHeader or some such? That I agree with.
Having looked at this some more I think actually that in XMLHttpRequest the send() algorithm should just add Content-Type to author request headers instead. send() is effectively doing a setRequestHeader() thing there.
I changed XMLHttpRequest as suggested: http://dev.w3.org/cvsweb/2006/webapi/XMLHttpRequest-2/Overview.src.html.diff?r1=1.204;r2=1.205;f=h I also clarified CORS that Content-Type is supposed to be listed by servers even though it is sometimes a simple header: http://dvcs.w3.org/hg/cors/rev/83bc552d856f I think this resolves http://www.w3.org/2011/webappsec/track/actions/11 although the wording of that action is somewhat unclear.