On 27 July 2011 22:34, Anne van Kesteren <[email protected]> wrote: > <[email protected]> wrote: >> >> I carefully examined the bits of the CORS spec (edition >> http://www.w3.org/TR/2010/WD-cors-20100727/ ) relevant to the >> Access-Control-Request-Header. > > Could you please review http://dev.w3.org/2006/waf/access-control/ instead? > The TR/ version is (always) out of date.
Thanks Anne, "author request headers" sounds more to the point than the previous "custom request headers". Regarding "6. Resource processing model": [item 3] "A list of headers consisting of zero or more header field names that are supported by the resource.": Is this list supposed to be 1) of the non-simple headers only - as per http://dev.w3.org/2006/waf/access-control/#simple-header or 2) of all supported headers that the author may choose to set, including those that qualify as simple? Because right now the Java CORS filter expects to receive only non-simple headers in "Access-Control-Request-Headers", and if for some reason the browser has decided to include a simple header, e.g. "Accept", in the preflight request it won't be allowed to proceed. Vladimir -- Vladimir Dzhuvinov :: [email protected] http://NimbusDS.com :: Nimble directory services for web and cloud applications
