On Sat, 2011-12-17 at 16:10 +0100, Anne van Kesteren wrote:
> On Fri, 29 Jul 2011 14:25:07 +0200, Vladimir Dzhuvinov
> wrote:
> > Regarding "6. Resource processing model": [item 3] "A list of headers
> > consisting of zero or more header field names that
e that qualify as simple?
Because right now the Java CORS filter expects to receive only
non-simple headers in "Access-Control-Request-Headers", and if for
some reason the browser has decided to include a simple header, e.g.
"Accept", in the preflight request it won't be
On 27 July 2011 17:44, Jonas Sicking wrote:
> On Wed, Jul 27, 2011 at 9:32 AM, Vladimir Dzhuvinov
> wrote:
>> Hi guys,
>>
>> I'm the maintainer of CORS Filter, a small library for retrofitting
>> Java web apps with CORS support.
>>
>> A devel
custom headers
appended to the XHR request by means of its "setRequestHeader" method.
Is this so?
My tests have also shown that FF, Safari, IE and also Chrome (up to
version 12) do not include "Origin" in the
"Access-Control-Request-Headers" header of outgoing CORS
On 29 September 2010 13:48, Anne van Kesteren wrote:
> On Sun, 26 Sep 2010 12:01:59 +0200, Vladimir Dzhuvinov
> wrote:
>>
>> I looked at various CORS examples, but they were not particularly
>> instructional on how the server should respond if the origin is not
>&g
there - no simple headers at
all are returned on a CORS response, not even the ones marked by
"Access-Control-Expose-Headers" :(
Vladimir
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
ith multiple origin URLs at the
bottom to minimise the risk of misunderstanding.
Also, it could somewhat help if the contents of sections 5.1.2 and
5.2.2 were made identical.
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
rg/En/HTTP_access_control#section_3
"...The Access-Control-Allow-Origin header should contain a comma
separated list of acceptable domains..."
If space-separated is correct I'll have to correct the docs and
possibly file a bug report too.
Vladimir
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
ng to respond with
HTTP 403 Forbidden - on a origin that is not allowed
HTTP 405 Method not allowed - on an unsupported method
Does this make sense?
How should the server respond if it receives a custom header that is
not listed as supported?
Vladimir
--
Vladimir Dzhu
Regarding the CORS spec:
Shouldn't "list of exposed headers" be added to the resource policy
bullet list? Or is that already covered by "list of supported
headers"?
http://www.w3.org/TR/access-control/#resource-processing-model
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
ldn't the server app determine whether
AND or OR matching is more appropriate?
Vladimir
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
in with.
Does this mean that the value of the origin header should be treated
as an arbitrary string?
Because if I don't parse the origin value I have no mean of knowing
that it actually represents a valid origin.
Vladimir
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
tch, regardless of their case (upper or
lower):
http://tools.ietf.org/html/draft-abarth-origin-07
The CORS draft on the other hand requires case-sensitive matching of origins:
http://www.w3.org/TR/access-control/#resource-requests
Please, advise.
Vladimir
--
Vladimir Dzhuvinov :: software.dzhuvinov.com
13 matches
Mail list logo
