On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote: > Here is a brief proposal for how we could simplify the current set of CORS > headers. We can use this thread to evaluate whether it is worth breaking with > what Firefox, Safari, Chrome, and IE are doing now. And whether all parties > are willing to change their supported syntax in due course. > > Furthermore, I suggest that if we have nothing conclusive on this topic by > June 15 we consider ISSUE-89[1] as resolved. We have to move on at some > point. (Maybe the chairs should issue a CfC for this to make it official.) > > > I suggest we merge Access-Control-Allow-Origin, > Access-Control-Allow-Credentials, and Access-Control-Max-Age into a new > header, named CORS. The syntax of this new header would be: > > "CORS" : "credentials"? origin-value delta-seconds? > > Access-Control-Allow-Methods and Access-Control-Allow-Headers become > CORS-Methods and CORS-Headers respectively. I do not think it is worth trying > to merge these in as well. > > We keep the Origin header. > > And Access-Control-Request-Method and Access-Control-Request-Headers are > merged into a new header, named CORS-Preflight. The syntax of this new header > would be: > > "CORS-Preflight" : Method [SP field-name]* > > > [1]<http://www.w3.org/2008/webapps/track/issues/89> >
I'm not that keen on changing the names, but if we do, I think "CORS" might be a bit mysterious by itself as a header name. Here's another set of naming suggestions, if we do go down the renaming path (which for the record I'd rather not): CORS ==> Allow-Access or Expose-Response CORS-Methods ==> Allow-Methods CORS-Headers ==> Allow-Headers (or Allow-Request-Headers) CORS-Preflight ==> can't think of a better name for this new header to expose more response headers ==> Expose-Headers (or Expose-Response-Headers) Regards, Maciej
