Here is a brief proposal for how we could simplify the current set of CORS
headers. We can use this thread to evaluate whether it is worth breaking
with what Firefox, Safari, Chrome, and IE are doing now. And whether all
parties are willing to change their supported syntax in due course.
Furthermore, I suggest that if we have nothing conclusive on this topic by
June 15 we consider ISSUE-89[1] as resolved. We have to move on at some
point. (Maybe the chairs should issue a CfC for this to make it official.)
I suggest we merge Access-Control-Allow-Origin,
Access-Control-Allow-Credentials, and Access-Control-Max-Age into a new
header, named CORS. The syntax of this new header would be:
"CORS" : "credentials"? origin-value delta-seconds?
Access-Control-Allow-Methods and Access-Control-Allow-Headers become
CORS-Methods and CORS-Headers respectively. I do not think it is worth
trying to merge these in as well.
We keep the Origin header.
And Access-Control-Request-Method and Access-Control-Request-Headers are
merged into a new header, named CORS-Preflight. The syntax of this new
header would be:
"CORS-Preflight" : Method [SP field-name]*
[1]<http://www.w3.org/2008/webapps/track/issues/89>
--
Anne van Kesteren
http://annevankesteren.nl/
