Simpler and/or shorter would indeed be good, although it may be too
late.
Jonas, IE Guys (Chris, Adrian, ...) - what is your input on this issue?
-Art Barstow
On May 13, 2010, at 3:39 AM, ext Maciej Stachowiak wrote:
On May 6, 2010, at 5:30 PM, Anne van Kesteren wrote:
Here is a brief proposal for how we could simplify the current set
of CORS headers. We can use this thread to evaluate whether it is
worth breaking with what Firefox, Safari, Chrome, and IE are doing
now. And whether all parties are willing to change their supported
syntax in due course.
Furthermore, I suggest that if we have nothing conclusive on this
topic by June 15 we consider ISSUE-89[1] as resolved. We have to
move on at some point. (Maybe the chairs should issue a CfC for
this to make it official.)
I suggest we merge Access-Control-Allow-Origin, Access-Control-
Allow-Credentials, and Access-Control-Max-Age into a new header,
named CORS. The syntax of this new header would be:
"CORS" : "credentials"? origin-value delta-seconds?
Access-Control-Allow-Methods and Access-Control-Allow-Headers
become CORS-Methods and CORS-Headers respectively. I do not think
it is worth trying to merge these in as well.
We keep the Origin header.
And Access-Control-Request-Method and Access-Control-Request-
Headers are merged into a new header, named CORS-Preflight. The
syntax of this new header would be:
"CORS-Preflight" : Method [SP field-name]*
[1]<http://www.w3.org/2008/webapps/track/issues/89>
I'm not that keen on changing the names, but if we do, I think
"CORS" might be a bit mysterious by itself as a header name. Here's
another set of naming suggestions, if we do go down the renaming
path (which for the record I'd rather not):
CORS ==> Allow-Access or Expose-Response
CORS-Methods ==> Allow-Methods
CORS-Headers ==> Allow-Headers (or Allow-Request-Headers)
CORS-Preflight ==> can't think of a better name for this
new header to expose more response headers ==> Expose-Headers (or
Expose-Response-Headers)
Regards,
Maciej
