You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Like Access-Control-Allow-Headers, the headers item should have power to list Authorization header in addition to "*". CORSOptionList is currently specified to be "*" or a list, and therefore it cannot. The algorithm at 3.4.4. doesn't consider "*" in a list, and as a result it's giving more power to "*" than one in the Fetch Standard.
We can also choose to intentionally relax the requirement to list Authorization explicitly for Origin-Wide Policy, but needs to be discussed.
The text was updated successfully, but these errors were encountered:
Ah yeah, we should probably just match it indeed. And then if folks disagree they should argue to change CORS instead. I don't think we want to handle the security discussion on two fronts, so to speak.
FWIW, I think this would be of potential interest to Mozilla, though I've also heard a suggestion of adding a extension bit to TLS to negotiate removal of these preflights, which would be even better performance-wise.
/cc @annevk
Like Access-Control-Allow-Headers, the headers item should have power to list Authorization header in addition to
"*"
. CORSOptionList is currently specified to be"*"
or a list, and therefore it cannot. The algorithm at 3.4.4. doesn't consider"*"
in a list, and as a result it's giving more power to "*" than one in the Fetch Standard.We can also choose to intentionally relax the requirement to list Authorization explicitly for Origin-Wide Policy, but needs to be discussed.
The text was updated successfully, but these errors were encountered: