This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
This was was cloned from bug 16841 as part of operation convergence. Originally filed: 2012-04-24 17:52:00 +0000 Original reporter: Patrick Ladd <Pat_Ladd2@cable.comcast.com> ================================================================================ #0 Patrick Ladd 2012-04-24 17:52:20 +0000 -------------------------------------------------------------------------------- Section 2.7.6 "CORS-enabled fetch" executes the CORS "resource sharing check" which fails if the server did not include an Access-Control-Allow-Origin header in the response to the request. This implies that if the user agent did not send an Origin header the resource sharing check will fail and cause the potentially CORS-enabled fetch to taint or fail depending on the mode. In order to clarify the expectation, one possible solution is a statement describing what happens when the Origin header is not sent by the user agent. For example, add a sentence at the end of the first paragraph in section 2.7.6 that states, "If the user agent did not include an Origin header in the request, then the result of the potentially CORS-enabled fetch is success as defined for URL has the same origin as origin." ================================================================================ #1 Anne 2012-04-24 20:23:48 +0000 -------------------------------------------------------------------------------- The expectation would be that it is tainted. ================================================================================ #2 Patrick Ladd 2012-04-24 20:35:55 +0000 -------------------------------------------------------------------------------- Are you saying a clarification isn't needed or the recommended statement should indicate taint rather than success? ================================================================================ #3 Anne 2012-04-24 20:39:41 +0000 -------------------------------------------------------------------------------- Clarification might be nice, although user agents that do not implement CORS seem somewhat broken to me, but you can definitely never get more sharing without CORS than with. It should be either tainted or result in failure. ================================================================================ #4 Mark Vickers 2012-04-26 19:22:03 +0000 -------------------------------------------------------------------------------- So, why don't we require CORS? ================================================================================ #5 Odin Hørthe Omdal 2012-05-08 12:47:45 +0000 -------------------------------------------------------------------------------- Hmm. What are you more specifically asking about? The user agent always sends a Origin-header if it's doing a CORS-enabled fetch. http://dev.w3.org/html5/spec/urls.html#cors-enabled-fetch So e.g. <img src=cross> will always show you the picture, but it'll be tainted because that's the default - AFAIK it won't send a origin-header because you it's mode is "No CORS". <img src=cross crossorigin>, however, will take a different branch and do a real cross-fetch (either success or fail). <img src=same crossorigin> will go into the first branch, but will restart the algorithm if it's redirected to cross. So all real cross-domain uses should be sending an Origin-header, AFAICS. ================================================================================ #6 Patrick Ladd 2012-05-10 23:40:33 +0000 -------------------------------------------------------------------------------- The user agent may always send an Origin header when doing a CORS-enabled fetch, but I don't see where the CORS or HTML5 specifications mandate use of that header. I thought there might be reluctance to add such a requirement so the initial proposal was to clarify what happens when the user agent does not send an Origin header. I'm hopeful the editors will acknowledge that lack of clarity and either accept or make counter proposals to the suggestions. ================================================================================
I've updated HTML to say that if you implement HTTP you must implement Origin also. This then invokes all the rules in the Origin spec about "the origin that initiated the HTTP request", which causes the header to be included.
(see bug 17836)