RE: [cors] Simplify CORS Headers (ISSUE-89)

In IE, we only support Access-Control-Allow-Origin and combining with other values (albeit optional ones) that we don't support might be misleading. It also introduces some additional parsing that changes the behaviour from a simple comparison to a more complex parse and then compare.

We wouldn't be able to drop support for the current header so we'd need to support both and have a precedence order for which wins if both headers are present with different values. It's unlikely we'd issue a patch for IE8 unless there was strong customer demand and even if we did, there's no guarantee that it would be installed so services would still need to send both headers.

I'm not all that keen on changing the names at this point either.

Adrian.

On Friday, May 14, 2010 10:19 AM, Arthur Barstow wrote:
> Simpler and/or shorter would indeed be good, although it may be too
> late.
> 
> Jonas, IE Guys (Chris, Adrian, ...) - what is your input on this issue?
> 
> -Art Barstow
> 
> On May 13, 2010, at 3:39 AM, ext Maciej Stachowiak wrote:
> > On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote:
> >> I suggest we merge Access-Control-Allow-Origin, Access-Control-
> >> Allow-Credentials, and Access-Control-Max-Age into a new header,
> >> named CORS. The syntax of this new header would be:
> >>
> >>  "CORS" : "credentials"? origin-value delta-seconds?

> > I'm not that keen on changing the names, but if we do, I think
> > "CORS" might be a bit mysterious by itself as a header name. Here's
> > another set of naming suggestions, if we do go down the renaming
> > path (which for the record I'd rather not):
> >
> > CORS ==> Allow-Access or Expose-Response
> > CORS-Methods ==> Allow-Methods
> > CORS-Headers ==> Allow-Headers (or Allow-Request-Headers)
> > CORS-Preflight ==> can't think of a better name for this
> > new header to expose more response headers ==> Expose-Headers (or
> > Expose-Response-Headers)
> >
> > Regards,
> > Maciej
>

Received on Monday, 24 May 2010 15:25:26 UTC