This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 28861 - Section 6.2 Preflight Request, step 10, second note: "Access-Control-Allow-Headers" instead of "Access-Control-Request-Headers"
Summary: Section 6.2 Preflight Request, step 10, second note: "Access-Control-Allow-He...
Status: NEW
Alias: None
Product: WebAppsSec
Classification: Unclassified
Component: CORS (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: Anne
QA Contact: This bug has no owner yet - up for the taking
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-28 18:28 UTC by Claude Pache
Modified: 2015-07-01 17:48 UTC (History)
4 users (show)

See Also:

Attachments

Description Claude Pache 2015-06-28 18:28:57 UTC 
In http://www.w3.org/TR/cors/#resource-preflight-requests
Section 6.2 Preflight Request, step 10, second Note:

  "Since the list of headers can be unbounded, simply returning supported headers from Access-Control-Allow-Headers can be enough."

s/Access-Control-Allow-Headers/Access-Control-Request-Headers/
Comment 1 Anne 2015-06-29 09:32:53 UTC 
1) That document is obsolete, use https://fetch.spec.whatwg.org/ instead.
2) If we do any kind of fix here, removing that statement would be better since that proposed fix does not really make it any better.
Comment 2 Claude Pache 2015-06-30 09:41:34 UTC 
> 1) That document is obsolete, use https://fetch.spec.whatwg.org/ instead.

Thanks for the information.

An issue is that (1) there is no clue in the w3c document suggesting that it should be considered as obsolete, and (2) references found on the web routinely refers to the w3c document as "the CORS specification" without mentioning the whatwg document.
Comment 3 Anne 2015-06-30 09:45:53 UTC 
Brad, can we mark CORS as obsolete? Or update it to point to the latest version? I keep getting private emails about it too suggesting we're wasting a lot of people their time.