cors-preflight needs to handle CORS non-wildcard request-header names #11
Labels
Comments
Closed
|
Ah yeah, we should probably just match it indeed. And then if folks disagree they should argue to change CORS instead. I don't think we want to handle the security discussion on two fronts, so to speak. |
|
OK. Sounds good |
|
FWIW, I think this would be of potential interest to Mozilla, though I've also heard a suggestion of adding a extension bit to TLS to negotiate removal of these preflights, which would be even better performance-wise. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
/cc @annevk
Like Access-Control-Allow-Headers, the headers item should have power to list Authorization header in addition to
"*". CORSOptionList is currently specified to be"*"or a list, and therefore it cannot. The algorithm at 3.4.4. doesn't consider"*"in a list, and as a result it's giving more power to "*" than one in the Fetch Standard.We can also choose to intentionally relax the requirement to list Authorization explicitly for Origin-Wide Policy, but needs to be discussed.
The text was updated successfully, but these errors were encountered: