Currently when making a preflight request user agents are required to
include "content-type" in the Access-Control-Request-Headers header if the
author specified a Content-Type header. However, this Content-Type header
included in the actual request can contain a header value allowed by
"simple headers", such as "text/plain". Is it a problem that the server
cannot distinguish which Content-Type header is meant? The primary reason
for the preflight request is awareness, but it still strikes me as icky.
There is one other problem noted by sicking on the WHATWG list. Namely
that Content-Type can also be set by the user agent. E.g. based on the
File object passed to the send() method in XMLHttpRequest. So I think I
will update the places where CORS compares "author request headers" (I
renamed "custom request headers" as "author" is clearer and "custom"
caused confusion) against "simple headers" to also compare the
Content-Type header (if set by the user agent) against "simple headers".
Does that make sense?
--
Anne van Kesteren
http://annevankesteren.nl/
